Keys to a Great API Security Solution
This article explains API security and why cybersecurity is so critical for APIs today.
Join the DZone community and get the full member experience.Join For Free
So, do you think your APIs are secure?
You might want to take another look at your security.
Figure 1 What is API security?
APIs are everywhere, and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments.
As someone who has spent my entire career in APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.
So, let’s start with the basics.
What Is API Security?
The simple answer is that it is about applying and managing security for your APIs, but we all know there is nothing simple about API Cybersecurity.
Figure 2 War Games film
In 1983, a movie called War Games was released in theaters. You may have never heard of the film, but it was about a boy, David, played by Matthew Broderick. He hacks into NORAD’s Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world at that time.
According to journalist Fred Kaplan, after seeing a special screening of the movie “War Games,” then-President Ronald Reagan asked the U.S. Military Joint Chief of Staff if something like this could really happen. He asked, “Could someone just break into our most sensitive computers?” A week later, the General response was:
"The problem is much worse than you think."
From that moment on, U.S. Cybersecurity and Defense policy would never be the same.
Fast forward almost 40 years, and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). That means that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks, malicious or not.
Most don’t understand that API security starts with humans, not computers.
Suppose someone puts their password on a sticky note attached to their monitor. In that case, it doesn’t matter how many security checks you do, how much security code you have in place, or what different security products you have installed.
However, there are many things that you can do to protect yourself and minimize damage from this and other forms of social hacking.
OWASP Top 10 List for APIs
One thing you might have heard of and need to pay attention to is OWASP.
OWASP is the Open Web Application Security Project.
It’s an international non-profit organization dedicated to web application security.
They are probably most well-known for their re-occurring Top 10 list of Web Vulnerabilities.
But in addition to their lists of web vulnerabilities, they also came out with a Top 10 list for APIs. It is a few years old, but these are still important factors to consider with your API Security.
The latest OWASP API Security Top 10 list includes:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Assets Management
- API10:2019 Insufficient Logging & Monitoring
Inside these topics, you will discover even more details that you need to be familiar with and understand.
- API Keys
- API Logging
- API Injections
- API Hackers
- Zero Trust APIs
- Shadow APIs
- API Access Control
- API Security Testing
- OAuth and OpenID Connect
- Identity and Access Management
- Multi-Factor Authentication
- API Observation
- API Threat Detection
- And more...
You can arm yourself with some key weapons to defend your systems from attacks by API Hackers and intruders. The core of your API cybersecurity strategy will be an API Gateway. An API Gateway can protect many things, including Denial of Service attacks. They can also offer API Monitoring, Logging, and API Rate Limiting. They can restrict traffic based on IP addresses and other metadata, handle security token validation, etc. The API Gateway makes it easy to create, maintain, monitor, and secure your APIs.
Web Application Firewalls (WAF)
The Web Application Firewalls (or WAF) stand between the public traffic and your API Gateway or application. A WAF can give you some additional protection against things like bots by using security rules, machine learning, and sometimes, artificial intelligence. They can provide malicious bot detection, identify attack signatures, and provide additional IP Intelligence. A WAF can block horrible traffic before it even reaches your Gateway.
Standalone Security Products
Then there are also stand-alone security products. These products support features that can be broken down into real-time protection, static code, vulnerability scanning, build-time checking, and security fuzzing.
Many of the security products in the market will support features in some or all of these categories.
Security in Code
Last, we have security implemented internally to the API or applications themselves. I will not go into this very much in this article. Still, I will point out that the resources required to ensure that all the security is implemented correctly in your API code can be difficult to apply consistently across your entire API Portfolio.
It is important to remember that security is a moving target with any security feature or product. You want to know that the product (or products) you use will stay up to date in protecting you against the latest vulnerabilities.
But doesn’t an API Gateway implement “Security as a Feature”? Yes. And it is a critical part of your API Management security strategy. API Gateways integrate with and work well with standalone API security products and Web Application Firewalls to provide solid and comprehensive protection for your APIs. Leaving out the core part of your security strategies, such as an API Gateway, a component that probably knows more about your APIs and the context of your traffic than any other system, is a terrible idea.
Suppose your only focus is on using Web Application Firewalls or external security products, and you ignore (or misconfigure) the protection provided by your API Gateway security. In that case, you could be leaving yourself wide-open for an attack.
Don’t leave yourself vulnerable!
API Security Black Box?
This only reinforces that there is no one-size-fits-all solution for API Cybersecurity. You can’t just buy an “API Cyber Security black box” from Best Buy, plug it in, and suddenly everything is protected.
To implement a proper security solution for APIs, it is essential to understand your APIs, the 3rd-Party APIs you use, and the functionality and value your APIs add to your organization. This will help you better grasp how API Security ties into integrations with your partners and users. API Security is still one area that will require you to spend some time and resources to ensure it is implemented (and CONTINUES to be implemented) correctly.
Security for API Integrations
When looking at your API ecosystem, don’t forget about API Integrations and the 3rd Party APIs you will be integrating with. If these 3rd Party APIs or the integrations themselves are insecure, your data, internal systems, and APIs could be compromised. Using a solid API Integration solution with a proven track record can protect your API Integrations and work seamlessly with your API Gateway platform.
Educate and Equip
To better equip organizations and individuals better protect themselves and their APIs, we’ve created a new series called API Cybersecurity 101. This series of videos and blog posts aims to educate and equip everyone from developers to executives with the resources you need to shield and protect your APIs. You can check out our API Cybersecurity video series on YouTube:
Published at DZone with permission of Brenton House, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.