API security best practices: What you need to know
Application Programming Interfaces (APIs) have been well-known in IT for some time. Yet they have suddenly moved front and center in security. Why? Giora Engel, CEO of Neosec, believes that APIs have largely become the new network — but their changing role has made them even more vulnerable to abuse.
The network, after all, is composed of many different layers. Above the physical layer where cables are connected, there are a series of additional layers. APIs sit on top of all of them, typically using the HTTPS protocol to implement them to communicate requests and responses.
“It is the APIs that connect all the different software components together to provide a service,” said Engel on the Cyber Work Podcast. “The connectivity between the client and the provider, too, is enabled by APIs.”
Unfortunately, APIs have traditionally been considered a minor IT infrastructure element. Hence, they tend to receive relatively little attention from a security standpoint. Yet the APIs are harnessed as the best way to expose services to the outside world. This places them in an especially vulnerable position.
API security best practices and technologies are evolving to safeguard enterprise security and block any potential avenues of attack.
[pkInsertVideo link="https://www.youtube.com/watch?v=RpkK4x8Homo&ab_channel=Infosec" title="What is API security? | Cyber Work Podcast" align=""]
API misconfiguration
API security isn’t just about rogue actors. APIs can also be misconfigured. Engle explained that the problems tend to largely boil down to the lack of a complete API inventory. If you don’t know what your APIs are, you don’t know if they are configured correctly or are robust enough. A thorough inventory is an early first step in taking control of API security.
Only when you understand your APIs well can you determine how they are implemented, deployed and configured. Questions to answer include how access controls were implemented and whether the APIs reveal more information than they should. But it isn’t always easy to discover these things. Some of the data can be found in API gateways, but other information will be spread around the specific microservices involved.
ChatGPT training built for everyone
“API security information is buried in a lot of different places, so it can be hard to enforce it in one place,” said Engel.
API security and privacy
Personally identifiable information (PII) can also be exposed via APIs. There are a great many privacy regulations in different states, countries and regions that lay out a labyrinth of privacy rules and restrictions. Engel noted that regulations sometimes force you to expose more through APIs than is prudent from a security perspective.
Take the open banking rules prevalent in Europe and gaining greater acceptance in North America, for example. These rules force financial institutions to expose their core payment capabilities through APIs. This enables external companies to participate in the banking ecosystem via APIs, even if these external entities are unknown and are not necessarily to be trusted.
Similarly, in the U.S., insurance companies operating in healthcare are required by law to expose all their protected health information (PHI) for interoperability. In other words, current rules require exposure of their most sensitive data to outside interests. These are just a few ways in which the function of APIs has been extended to the point where it opens the door to breaches and malware infection.
Building a secure API framework
Engel said that building a security framework around APIs is, in many ways, similar to managing other assets. He laid out the basic steps:
- Take an inventory, so you know what to protect.
- Look for any potential vulnerabilities.
- Understand the inherent sensitivities of some APIs.
- Monitor how they are consumed to detect abnormal behavior or potential abuse.
“What’s unique about APIs is that you can directly connect them to a business purpose,” said Engel. “APIs are no longer just an infrastructure component, so abusing them has the potential of damaging consequences.”
The business value derived from more open and functional APIs is central to ongoing digital transformation initiatives. Developers are finding more ways to augment APIs to forward business objectives. However, security remains a step behind.
This is opening a new frontier for application security — one that people beginning their careers in IT would be wise to focus on. Engel advises anyone learning application development and application security to embrace APIs as a significant part of these fields. That means understanding how API calls are made, how API frameworks are built and API specifications.
“Once you know all that, it’s easier to understand how to protect APIs and how to secure environments,” said Engel.
He added that there isn’t a silver bullet to improve APIs. But APIs help provide people with better tools and products. As long as security personnel and developers have a good sense of their inventory of APIs and eliminate vulnerabilities, they are most of the way there.
As the field matures, product security and API security are gradually being built into product development. Those being educated in security in that way are being future-proofed as API vulnerabilities and data exposures are not going away, concluded Engel.
ChatGPT training built for everyone
To learn more about the importance of API security, listen to the full Cyber Work Podcast with Giora Engel.
In this Series
- API security best practices: What you need to know
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization