API Security Best Practices: 10 Essential Ways to Secure Your IT Infrastructure
An application programming interface (API) is a component that links two applications together and allows them to communicate.
APIs are essential for digital innovation as they prevent companies having to develop desired functionality within their applications, as they can use an API to integrate an existing application instead.
For example, to incorporate a map into their application, they can use the Google Maps API and avoid the time and expense of creating their own.
Meanwhile, the API developer can charge for the use of its API to generate revenue or, in the case of Google Maps, for instance, benefit from additional brand exposure.
However, despite their immense benefits, APIs also present significant potential security risks.
By releasing a public, or open, API, an organisation gives third-party developers access to parts of its IT infrastructure.
But at the same time, if not properly secured, APIs also grant the same access to cybercriminals, who can infiltrate their networks through the third parties who use their APIs.
Let’s delve into API security best practices for mitigating the most common cyber threats caused by API usage.
What is API Security and Why is it So Important?
API security is the practice of protecting APIs from cybersecurity threats and, in the process, preventing malicious actors from accessing an organisation’s IT infrastructure and it’s sensitive data.
API security is critical because when an organisation develops a public API, it can be integrated into an application by any third-party developer.
The bigger the organisation, e.g., Google, Uber, or Facebook, the higher the number of third-party integrations.
However, an organisation has no control over the security practices of the external organisations that use their APIs.
Subsequently, if a company suffers a security breach, cybercriminals can use the public APIs within its IT infrastructure to infiltrate the companies its applications are integrated with.
If one of those companies insecure APIs, hackers can use that to access its data and assets, without having to attack the company directly.
Put another way, if your organisation releases an insecure public API for third-party developers to integrate with your applications, your cybersecurity defences will only be as strong as that of the least secure organisation that integrates your API into its IT infrastructure.
Types of API cyberattacks
To fully appreciate API security best practices, it’s important to understand the most frequent security risks faced by APIs.
Here are some of the most common cyberattacks that malicious actors launch against APIs:
- Denial of Service (DoS)/Distributed Denial of Service (DDoS) Attacks: a DoS attack sees a malicious actor flood a server with API requests, rendering it unavailable for legitimate user requests. A DDoS attack puts even more strain on a server as it’s perpetrated by a botnet: a group of compromised devices under a hacker’s control. Consequently, a botnet can make more calls to a server in a shorter amount of time and is harder to both detect and mitigate.
- Stolen Authentication: when a hacker steals the means of authentication, i.e., an API key, and can access an application’s systems and data as a result.
- Man-in-the-Middle (MitM) Attacks: this occurs when a malicious actor sits between a client and server and intercepts API calls. This can allow them to steal the data being transmitted or hijack the client’s session: impersonating them to access data or other server-side resources.
- Injection Attacks: these allow hackers to exploit poor input validation measures, or a complete lack thereof, to “inject” malicious code into an application. The two most common types of such attacks are SQL injection and cross-site scripting (XSS) attacks.
An SQL injection attack capitalises on a lack of security controls to extract sensitive data from an application database or bypass admin logins. XSS attacks, on the other hand, see a hacker insert malicious code into a web application, which it can use to impersonate a user or redirect them to a malicious site.
The Open Worldwide Application Security Project (OWASP) is an organisation that produces information and tools designed to spread up-to-date information about web security threats and how to combat them.
Their work includes the OWASP Top 10 API Security Risks which they publish periodically to educate people on the most prevalent API security risks and best practices for their mitigation.
10 API Security Best Practices
- Conduct API Risk Assessments
The first, and arguably most important, API security best practice is carrying out comprehensive risk assessments for all the APIs within your IT infrastructure.
This will reveal the security posture of your API ecosystem and determine what you need to do to make it more secure.
There are three main steps to conducting API risk assessments:
- API discovery: you can’t secure an asset you’re unaware of, so the first step is creating an accurate inventory of your APIs and recording them in an API registry. This will also reveal deprecated APIs that need to be removed, reducing the size of your organisation’s attack surface, i.e., the number of vulnerabilities that malicious actors can exploit to breach your network.
- Mapping data flows: determining which services and resources each API provides access to and the sensitivity of the data it exposes. This not only gives you a clearer idea of the risk your organisation faces but also helps you prioritise which security policies and controls to strengthen or implement first.
- Assess current security measures: evaluate your current API security measures by reviewing the most common security risks, e.g., the OWASP top 10, and determining if they sufficiently protect your APIs. This will reveal the weaknesses in your present API security posture and the policies and controls you must implement to best mitigate risk.
It’s also important to note that API risk assessments are not a “one-and-done” event and should be conducted regularly.
As well as scheduling them periodically, e.g., annually, it’s also a security best practice to conduct them when:
- You suffer a security breach
- You update an API
- Add new APIs to your ecosystem,
- Make changes to your IT infrastructure
- New significant security threats emerge
- Authentication and Authorisation
One of the most fundamental ways to secure an API is to manage who can access it, which requires robust authentication and authorisation procedures.
While these two concepts are often thought of interchangeably, they’re actually distinct processes.
Authentication is the act of verifying that a user is who they claim to be, while authorisation determines their access level, i.e., the resources they’re permitted to access and the actions they can carry out on said resource (read, write, delete, etc.).
Now, while this was traditionally achieved with a basic username and password combination, this required a user’s login credentials to be shared with each third-party application trying to access the API – presenting an additional security risk and comprising data privacy.
Instead, this authentication and authorisation is done through more secure, token-based authorisation protocols like OAuth2 and OpenID Connect.
Oauth2 handles authorisation: determining which resources a user can access by exchanging JSON Web Tokens (JWTs) with the client. This includes the user’s “scope” which defines the capacity in which the user can access data.
Open ID Connect, meanwhile, sits on top of OAuth2 and authenticates users with single sign-on (SSO) through identity providers (IdPs) such as Google or Azure Active Directory.
By using SSO, an API doesn’t have to manage user credentials itself, reducing its data storage requirements and reducing security risk in the event of malicious action.
- Restrict Access to Sensitive Data
Authentication and authorisation are only effective if you establish effective access policies and controls for API resources.
In recent years, authorisation models like attribute-based access control (ABAC) and role-based access control (RBAC) have been replaced by the far more effective, zero trust model, which operates through the principle of least privilege (POLP).
POLP provides a user with the minimum level of access necessary to do their job – or to complete their API request – restricting access to sensitive data in the process.
By the same token, only returning the minimum amount of information required by the client, as opposed to a whole database record, also restricts access to sensitive data.
Returning the entire data record reveals the resources in your data stores – which aids cybercriminals with their reconnaissance stage.
Returning the minimum amount of data not only offers security benefits but performance ones too, as organisations don’t have to waste computation power or bandwidth on retrieving and sending unnecessary data.
- Encryption
Encrypting data while it’s in transit and at rest, i.e., where it’s stored, is a security best practice for an organisation’s entire IT infrastructure as well as its APIs.
Encrypting data ensures that data is unreadable if its intercepted or stolen by hackers.
A common way to encrypt data during transfer is through transport layer security (TLS) encryption which is the successor to secure socket layer (SSL) and the protocol used in hypertext transfer protocol secure (HTTPS).
Fortunately, HTTPS is so widespread that many modern web browsers will restrict access to a website without a TLS/SSL certificate, i.e., that has “http” as opposed to “https”.
Similarly, there are several ways to encrypt data at rest, such as full disk encryption (FDE), file-based encryption (FBE), and database encryption (DBE).
- Data Validation
Another crucial aspect of API security is to never assume that the data passed to your API has been properly validated.
Neglecting to validate user input opens the door for common API security threats like cross-site scripting (XSS) and SQL injection attacks.
Effective data validation methods include checking the data is the correct type, e.g., numerical data for a phone number, or conforms to a predefined format.
Similarly, you must check that the type of media contained in the request or response matches that of the Content-Type header. Also, placing a data size limit for API calls prevents attacks that require large data payloads.
- Rate Limiting
Rate limiting is a simple, yet effective, API security best practice that places a cap on the number of requests a user can make.
Implementing rate limiting ensures that no one can flood your server with requests – particularly botnets attempting to execute a distributed denial of service (DDoS) attack and making your application unavailable for legitimate users at the same time.
Similarly, API quotas restrict the number of requests that can be made by a particular user, application, or IP address in a given period.
This both helps protect your APIs from malicious activity and acts as a form of quality control: ensuring resources are fairly distributed between users.
- Audit Logging
Audit logging is the process of recording events and changes within your IT infrastructure, including your APIs.
Logging every API request allows you to track user activity and identify any anomalous and, potentially, malicious behaviour.
Audit logging also highlights changes to your IT ecosystem, which could help to reveal malware deployment or altered data.
As well as keeping audit logs, it’s vital to routinely review them. Threat actors often rely on the fact that organisations don’t review their logs regularly enough – and use this in their attack strategies.
- Continuous Monitoring
On a similar note, consistently monitoring your APIs for suspicious activity enables you to become aware of potential security events as soon as they occur – and receive alerts so you can get ahead of them before they escalate.
Fortunately, there are a variety of API monitoring tools that allow you to analyse their performance in real-time, tracking important metrics such as traffic volume and the number of user requests.
Subsequently, monitoring tools companies to assess the performance of their APIs as well as their security posture.
- Install an API Gateway
API gateways, as their name suggests, sit between users and an organisation’s APIs, providing a single initial entry point that filters out suspicious activity before it has the opportunity to reach and impact your IT ecosystem.
API gateways help you implement many of the API security best practices described above, such as data validation, rate limiting, audit logging, and authentication and authorisation.
An API gateway can also maintain and enforce an allow-list or deny-list that automatically denies requests based on an IP address or domain.
Most importantly, an API gateway allows you to apply security policies and controls to each endpoint, instead of manually having to apply them to each server, database, etc.
In addition to security functions, API gateways carry out several logical and performance tasks, including service discovery (determining where to send each request), load balancing, and caching.
- Conduct Regular Security Tests
Finally, after implementing each API security best practice, it’s critical to ensure they’re effective and working as intended through regular security testing.
While a lot of this testing can be automated with specialised applications and tools, such as API management platforms, it’s also wise to enlist the services of ethical hackers to carry out various penetration tests.
Ethical, or “white hat”, hackers, provide a threat actor’s mindset: attacking your IT infrastructure in the same way a cybercriminal would and finding flaws in your API security in the process.
Just as importantly, ethical hackers typically possess current threat intelligence: keeping up-to-date with the latest tools and techniques that malicious actors may employ.
Conclusion
API Security Best Practices: In Summary
API security is the practice of protecting APIs from cybersecurity threats and, in the process, preventing malicious actors from accessing an organisation’s IT infrastructure.
It is so important an organisation has no control over the security practices of the external organisations that use their APIs – which can be used by hackers as an entry point into their own networks.
Common API cyberattacks include
- Denial of Service (DoS)/Distributed Denial of Service (DDoS) Attacks
- Stolen Authentication
- Man-in-the-Middle (MitM) Attacks
- Injection Attacks
10 API Security Best Practices
- Conduct API Risk Assessments
- Authentication and Authorisation
- Restrict Access to Sensitive Data
- Encryption
- Data Validation
- Rate Limiting
- Audit Logging
- Continuous Monitoring
- Install an API Gateway
- Conduct Regular Security Tests