Do More to Protect Your Application Programing Interfaces

1. Use Strong Encryption to Back Up HTTPS

Most API traffic travels over the open internet using HTTP, the same protocol that supports web traffic. These days, no security-minded organization would run a website handling sensitive information without implementing HTTPS, the encrypted version of the protocol. The same should be true for APIs.

However, it’s not enough to simply verify that API URLs begin with HTTPS. Organizations should double-check to make sure that the API endpoint supports only the secure transport layer security versions 1.2 and 1.3.

Endpoints should explicitly block older versions of TLS as well as the insecure SSL protocol to prevent attackers from eavesdropping on sensitive API communications.

2. Require Authentication Even for Known Users

Almost all APIs should require authentication before granting users access to information or allowing them to perform transactions. While some APIs may be intended for open, public access, the vast majority should be restricted to authenticated users. 

The most common way to achieve this is to use an API access key, which serves as a password. The API key is sent with every request and is used to validate a user’s identity and confirm access authorization.

API keys must be protected from unauthorized disclosure, just as organizations protect and manage sensitive passwords. Organizations that have lost control of their cloud service provider’s API keys have had their accounts taken over by cryptocurrency miners. Bills for this fraudulent use can quickly run into the tens of thousands of dollars.

WATCH: Learn how identity and access management can limit risk. 

3. Control Request Frequency and Prevent Accidental Data Logjams

Not all API attacks have malicious intent. Sometimes a single, authorized user with ambitious plans can overwhelm an API with a flood of requests designed to retrieve large amounts of information, rapidly check changing prices or probe for available inventory. Left unchecked, these requests can exceed the available capacity of back-end servers and render the API inaccessible to other legitimate users.

Organizations offering APIs to customers and the public should implement situation-specific rate limiting, which throttles user requests to whatever level the organization deems appropriate. These limits may vary for different types of users and should take into account the overall capacity of the service. Some rate limits may only go into effect during periods of high demand.

4. Conduct Frequent Security Tests to Watch for Vulnerabilities

APIs expose HTTPS endpoints to the world, and it is inevitable that adversaries will put them to the test, probing for security vulnerabilities. Security teams should include API endpoints in their application security testing efforts. 

This should include predeployment testing, routine automated vulnerability scans and periodic penetration tests designed to ferret out security issues before they’re discovered by an attacker.
Fortunately, many of the application security assessment tools that cybersecurity teams use to test web applications are also capable of performing API probes. It just takes some effort from the team to configure the scans up front and monitor their progress.

When scans detect potential API security issues, those results should feed automatically into the organization’s vulnerability management workflow.

Click the banner to learn more about becoming an Insider.

5. Ensure Web Application Inputs Are Valid

No sane developer would deploy a web application in today’s world without performing input validation. It’s common knowledge that attackers will probe the limits of any web application, using unexpected input to perform SQL injection, cross-site scripting and other web application attacks.

APIs are also vulnerable to many of the same issues, and they should also be protected with input validation routines. In the best case, developers should use an “allow list” approach that specifies exactly the type and quantity of data allowable for any API input variable. At a minimum, they should implement a “deny list” approach that blocks potentially malicious input.

6. Employ API Gateways to Consolidate Secure Monitoring

Securing and monitoring APIs is difficult work. API gateways are specialized platforms that consolidate this work, allowing developers and security teams to centrally create and enforce security policies. Gateways also relieve developers of a significant portion of the security burden by providing authentication, authorization, rate limiting and other security controls to the APIs they service. Organizations with significant investments in customer-facing APIs should strongly consider using API gateways if they are not already doing so.

APIs are incredibly powerful tools that can help an organization advance its business goals and better integrate with customers, vendors and business partners. However, these tools also open up the organization’s technology infrastructure, requiring careful security measures to protect sensitive information and systems. Organizations using APIs should carefully assess the state of their API security controls and implement an ongoing API security program.