Industry insights

API security best practices: What you need to know

Drew Robb
November 7, 2022 by
Drew Robb

Application Programming Interfaces (APIs) have been well-known in IT for some time. Yet they have suddenly moved front and center in security. Why? Giora Engel, CEO of Neosec, believes that APIs have largely become the new network — but their changing role has made them even more vulnerable to abuse.

The network, after all, is composed of many different layers. Above the physical layer where cables are connected, there are a series of additional layers. APIs sit on top of all of them, typically using the HTTPS protocol to implement them to communicate requests and responses.

“It is the APIs that connect all the different software components together to provide a service,” said Engel on the Cyber Work Podcast. “The connectivity between the client and the provider, too, is enabled by APIs.”

 

Watch Cyber Work Podcast

 

Unfortunately, APIs have traditionally been considered a minor IT infrastructure element. Hence, they tend to receive relatively little attention from a security standpoint. Yet the APIs are harnessed as the best way to expose services to the outside world. This places them in an especially vulnerable position.

API security best practices and technologies are evolving to safeguard enterprise security and block any potential avenues of attack.

[pkInsertVideo link="https://www.youtube.com/watch?v=RpkK4x8Homo&ab_channel=Infosec" title="What is API security? | Cyber Work Podcast" align=""]

 

API misconfiguration

 

API security isn’t just about rogue actors. APIs can also be misconfigured. Engle explained that the problems tend to largely boil down to the lack of a complete API inventory. If you don’t know what your APIs are, you don’t know if they are configured correctly or are robust enough. A thorough inventory is an early first step in taking control of API security.

Only when you understand your APIs well can you determine how they are implemented, deployed and configured. Questions to answer include how access controls were implemented and whether the APIs reveal more information than they should. But it isn’t always easy to discover these things. Some of the data can be found in API gateways, but other information will be spread around the specific microservices involved.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

“API security information is buried in a lot of different places, so it can be hard to enforce it in one place,” said Engel.

 

API security and privacy

 

Personally identifiable information (PII) can also be exposed via APIs. There are a great many privacy regulations in different states, countries and regions that lay out a labyrinth of privacy rules and restrictions. Engel noted that regulations sometimes force you to expose more through APIs than is prudent from a security perspective.

Take the open banking rules prevalent in Europe and gaining greater acceptance in North America, for example. These rules force financial institutions to expose their core payment capabilities through APIs. This enables external companies to participate in the banking ecosystem via APIs, even if these external entities are unknown and are not necessarily to be trusted.

Similarly, in the U.S., insurance companies operating in healthcare are required by law to expose all their protected health information (PHI) for interoperability. In other words, current rules require exposure of their most sensitive data to outside interests. These are just a few ways in which the function of APIs has been extended to the point where it opens the door to breaches and malware infection.

 

Building a secure API framework

 

Engel said that building a security framework around APIs is, in many ways, similar to managing other assets. He laid out the basic steps:

  1. Take an inventory, so you know what to protect.
  2. Look for any potential vulnerabilities.
  3. Understand the inherent sensitivities of some APIs.
  4. Monitor how they are consumed to detect abnormal behavior or potential abuse.

“What’s unique about APIs is that you can directly connect them to a business purpose,” said Engel. “APIs are no longer just an infrastructure component, so abusing them has the potential of damaging consequences.”

The business value derived from more open and functional APIs is central to ongoing digital transformation initiatives. Developers are finding more ways to augment APIs to forward business objectives. However, security remains a step behind.

This is opening a new frontier for application security — one that people beginning their careers in IT would be wise to focus on. Engel advises anyone learning application development and application security to embrace APIs as a significant part of these fields. That means understanding how API calls are made, how API frameworks are built and API specifications.

“Once you know all that, it’s easier to understand how to protect APIs and how to secure environments,” said Engel.

He added that there isn’t a silver bullet to improve APIs. But APIs help provide people with better tools and products. As long as security personnel and developers have a good sense of their inventory of APIs and eliminate vulnerabilities, they are most of the way there.

As the field matures, product security and API security are gradually being built into product development. Those being educated in security in that way are being future-proofed as API vulnerabilities and data exposures are not going away, concluded Engel.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

To learn more about the importance of API security, listen to the full Cyber Work Podcast with Giora Engel.

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.