Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Why API security is vital in today’s interconnected world

When it comes to achieving effective IT security, many organisations often overlook a potential point of weakness in their infrastructures – APIs. Ashley Diffey from Ping Identity explores.

user iconAshley Diffey
Fri, 25 Mar 2022
Why API security is vital in today’s interconnected world
expand image

Application programming interfaces (APIs) allow applications to request data from or provide data to other applications. If that application is targeting consumers, employees or partners, the client-side portion (such as a mobile app) interacts with the server-side portion via an API.

Usage of APIs has increased significantly during the past few years. This trend has been fuelled by digital transformation and the central role that APIs play in both mobile commerce and the internet of things (IoT). This, in turn, is leading to API security becoming a serious concern.

API security includes access control and privacy, as well as the detection and remediation of attacks. These attacks can occur through the reverse engineering of the APIs and subsequent exploitation of exposed vulnerabilities.

These vulnerabilities occur because APIs are often available over public networks and tend to be well documented. Also, because these are highly sensitive to denial of service (DDOS) attacks, APIs are attractive targets for bad actors.

According to analyst firm Gartner, by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. The firm recommends organisations adopt a continuous approach to API security across the development and delivery cycle and design security directly into APIs.

Protective measures

Thankfully, APIs do achieve some protection through security measures an organisation is likely to already have in place. For example, these are often behind a firewall, and some may also be behind an additional web-application firewall (WAF). A WAF can scan API traffic using signature-based threat detection, looking for things such as SQL injections and other attacks.

API gateways also play a role in threat detection. A gateway might enforce a strict schema on the way requests are handled and will look for deep nesting patterns and xml bombs and apply rate limits in addition to acting as a policy enforcement point.

In the end, security is everybody’s job because APIs touch backend services, databases, and other parts of an organisation’s IT infrastructure. This, in turn, means that every component needs to be secured.

Measures should start at the transport level with using SSL (HTTPS) and enforcing TLS 1.2. There is also a need to get rid of things like HTTP basic authentication.

Security best practices

When it comes to effectively securing APIs, there are a range of best-practice measures that can be applied. These include:

  • Take an inventory:
    Digital transformation initiatives accelerate the development of new APIs, so there is a need to review all to assess whether appropriate security measures are in place. But you can’t secure what you dont know about.
  • Control access:
    Using industry standards like OAuth and JWT, it’s possible to define access control rules that determine which identities, group memberships, identity attributes and roles are required to access specific API resources.
  • Detect threats:
    Security teams should combine real-time and out-of-band threat detection. Real-time threat detection involves an API gateway, a WAF, or an agent applying a set of validation rules. Each API request and response is subjected to this set of rules and is only allowed through if the rules are passed.
  • Constantly test security:
    Any API security measures put in place should be continuously tested. One technique is to design test cases that skip the client-side application as a hacker would when attacking an API. Try calling the API in ways that the application does not do and attempt to trick it into returning data for which a requester should not have access.
  • Monitor analytics across API silos:
    It’s important to monitor API traffic from within the infrastructure. Traffic metadata should be fed into a centralised artificial intelligence (AI) engine that can break it down by user, IP address, token and by each API across all silos. API monitoring and threat detection should also be integrated with existing security information and event management (SIEM) systems.

Detecting and stopping API breaches is only part of an effective response to threats. Each incident also needs to be forensically recorded to ensure a complete picture can be created of exactly what has taken place. This will allow security teams to review existing protective measures and determine where additions and changes need to be made.

APIs will continue to play a pivotal role in IT infrastructures for many years to come. Taking steps to ensure effective security is in place will allow associated benefits to be enjoyed and risks to be lowered.

Ashley Diffey is the head of APAC and Japan at Ping Identity.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.