Skip to main content

Digital Transformation

Getting Started with API Security

APIs present many security challenges, however it is common to have little or no security architecture or design for APIs built for use within project teams. APIs are channels into application systems so unsecured APIs are a huge security risk.

When getting started with API security consider the following API security risks:

  • APIs are a conduit into systems
  • HTTP verbs and parameterization creates a large attack surface
  • APIs closely match methods and data models exposing the underlying system
  • Identity with non-human entities and relevant identities (e.g. phone)
  • Poor API security practices – sharing keys, weak ciphers, security through obscurity
  • No security lifecycle management (limitations, revocation, audits)

We recommend using an API proxy or gateway to abstract the behavior and data formats of the API to external users and limit the attack surface area by exposing only what is needed. API gateways can also implement a formal security Policy Enforcement Point (PEP). The PEP resides in the DMZ which isolates the external network from the internal one running the APIs. The API gateway can also be integrated with an identity and access management system.
Consider the following steps to get started with API security:

  • Use proven API security frameworks and solutions
  • Reduce the attack surface by exposing only what is needed
  • Use discrete error messages (don’t give hackers clues in the error messages)
  • Use a secure transport such as SSL and PKI to manage digital certificates
  • Control access – e.g. Mutual authentication SSL, HTTP basic authentication, OAuth
  • Enforce a strict interface (validate protocol, resource, method, parameters, schema)
  • Validate input parameter values
  • Rate limits not to exceed capacity
  • Monitor, log and audit

It is best to use proven security patterns (based on use cases like external user to internal API) with frameworks and reference applications that implement the patterns. This makes it easy for development teams to follow API security standards. API gateways are a proven approach to securing APIs. API Gateways provide many features, like a developer portal, but security is always an attractive selling point.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Eric Roch, Chief Strategist, IT Modernization & Integration

More from this Author

Follow Us