1. Use Strong Encryption to Back Up HTTPS
Most API traffic travels over the open internet using HTTP, the same protocol that supports web traffic. These days, no security-minded organization would run a website handling sensitive information without implementing HTTPS, the encrypted version of the protocol. The same should be true for APIs.
However, it’s not enough to simply verify that API URLs begin with HTTPS. Organizations should double-check to make sure that the API endpoint supports only the secure transport layer security versions 1.2 and 1.3.
Endpoints should explicitly block older versions of TLS as well as the insecure SSL protocol to prevent attackers from eavesdropping on sensitive API communications.
2. Require Authentication Even for Known Users
Almost all APIs should require authentication before granting users access to information or allowing them to perform transactions. While some APIs may be intended for open, public access, the vast majority should be restricted to authenticated users.
The most common way to achieve this is to use an API access key, which serves as a password. The API key is sent with every request and is used to validate a user’s identity and confirm access authorization.
API keys must be protected from unauthorized disclosure, just as organizations protect and manage sensitive passwords. Organizations that have lost control of their cloud service provider’s API keys have had their accounts taken over by cryptocurrency miners. Bills for this fraudulent use can quickly run into the tens of thousands of dollars.
3. Control Request Frequency and Prevent Accidental Data Logjams
Not all API attacks have malicious intent. Sometimes a single, authorized user with ambitious plans can overwhelm an API with a flood of requests designed to retrieve large amounts of information, rapidly check changing prices or probe for available inventory. Left unchecked, these requests can exceed the available capacity of back-end servers and render the API inaccessible to other legitimate users.
Organizations offering APIs to customers and the public should implement situation-specific rate limiting, which throttles user requests to whatever level the organization deems appropriate. These limits may vary for different types of users and should take into account the overall capacity of the service. Some rate limits may only go into effect during periods of high demand.
4. Conduct Frequent Security Tests to Watch for Vulnerabilities
APIs expose HTTPS endpoints to the world, and it is inevitable that adversaries will put them to the test, probing for security vulnerabilities. Security teams should include API endpoints in their application security testing efforts.
This should include predeployment testing, routine automated vulnerability scans and periodic penetration tests designed to ferret out security issues before they’re discovered by an attacker.
Fortunately, many of the application security assessment tools that cybersecurity teams use to test web applications are also capable of performing API probes. It just takes some effort from the team to configure the scans up front and monitor their progress.
When scans detect potential API security issues, those results should feed automatically into the organization’s vulnerability management workflow.