Getting Started with API Security

APIs present many security challenges, however it is common to have little or no security architecture or design for APIs built for use within project teams. APIs are channels into application systems so unsecured APIs are a huge security risk.

Choosing a Global Software Development Partner to Accelerate Your Digital Strategy

To be successful and outpace the competition, you need a software development partner that excels in exactly the type of digital projects you are now faced with accelerating, and in the most cost effective and optimized way possible.

Get the Guide

When getting started with API security consider the following API security risks:

• APIs are a conduit into systems
• HTTP verbs and parameterization creates a large attack surface
• APIs closely match methods and data models exposing the underlying system
• Identity with non-human entities and relevant identities (e.g. phone)
• Poor API security practices – sharing keys, weak ciphers, security through obscurity
• No security lifecycle management (limitations, revocation, audits)

We recommend using an API proxy or gateway to abstract the behavior and data formats of the API to external users and limit the attack surface area by exposing only what is needed. API gateways can also implement a formal security Policy Enforcement Point (PEP). The PEP resides in the DMZ which isolates the external network from the internal one running the APIs. The API gateway can also be integrated with an identity and access management system.
Consider the following steps to get started with API security:

• Use proven API security frameworks and solutions
• Reduce the attack surface by exposing only what is needed
• Use discrete error messages (don’t give hackers clues in the error messages)
• Use a secure transport such as SSL and PKI to manage digital certificates
• Control access – e.g. Mutual authentication SSL, HTTP basic authentication, OAuth
• Enforce a strict interface (validate protocol, resource, method, parameters, schema)
• Validate input parameter values
• Rate limits not to exceed capacity
• Monitor, log and audit

It is best to use proven security patterns (based on use cases like external user to internal API) with frameworks and reference applications that implement the patterns. This makes it easy for development teams to follow API security standards. API gateways are a proven approach to securing APIs. API Gateways provide many features, like a developer portal, but security is always an attractive selling point.