In recent years, the proliferation of APIs has significantly changed the way enterprises operate. APIs enable different applications to communicate and exchange data with each other, allowing for more efficient and effective business processes and software development.
However, with the increased use of APIs comes the risk of API sprawl, where APIs are created and deployed across distributed teams and architectures, often without proper oversight and management. This can create a new set of security risks for enterprises, as each API represents a potential entry point for attackers to gain unauthorized access to sensitive data and systems.
One of the main drivers of API sprawl is the proliferation of microservices. A microservices architecture breaks a larger application into smaller, individual applications that communicate with each other via API. This breaks complex applications into discrete parts that can be managed by individual teams and scaled independently of each other to meet traffic demands.
Microservices offer many advantages for developers, including increased flexibility and scalability. However, these benefits come with tradeoffs, including additional complexity. As a result, many enterprises adopt an API-first approach to building microservices. In this strategy, the design process for applications and services starts with an API contract that outlines how an API works, down to the format of requests and responses.
The benefits of API-first software development can be easily undermined by a failure to take API security seriously, especially during design and deployment. At the most basic level, more APIs mean more attack surface. While APIs play a vital role in modern software development, they are simultaneously becoming easier to exploit.
In 2018, Gartner predicted that APIs would become the most common attack vector for applications by 2022. If anything, their prediction of that much delay was overly optimistic. High-profile API breaches at major companies that affected millions of users were already occurring and have only become more common:
The breadth and variety of these attacks reveals the challenges faced by security and engineering leaders. Some attacks exploit APIs that were incorrectly exposed to the internet. Others use API keys or other authentication methods that were incorrectly exposed in code repositories. Or attackers get access to internal environments through VPN exploits and use internal APIs to exfiltrate data.
The most common way to protect against API threats is to combine traditional web application security strategies with modern API security techniques. Traditional strategies often fall short in the face of today’s varied API threats. Modern techniques like automated API discovery and API contrast testing attempt to close these gaps.
It is critical for enterprises to shield right (implement global controls and security policies to protect deployed apps and APIs) and shift left (build security into code to eliminate vulnerabilities before apps and APIs go into production). Neither strategy can provide comprehensive API security on its own, so the key to preventing breaches is a holistic approach that spans three categories of API security practices:
By combining the right strategy with the right tools, organizations can better protect their APIs from attacks and ensure the security of their software systems. Let’s look at the important functionality and tools that platform engineering leaders need to implement to protect APIs across their lifecycle.
API security posture management creates visibility into the number, types, locations, and data exposed by your APIs. This information helps you understand the risks associated with each API so you can take appropriate actions to protect it.
Key functionality:
Representative technologies:
It’s important to keep in mind that no technology can reliably find every API in your architecture. Most discovery techniques rely on visibility provided by existing load balancers, API gateways, and Ingress controllers, and are not likely to catch misconfigurations that bypass these architectural components.
Ultimately, code review and following API-first best practices offers more effective long-term prevention. But automated API discovery tools are still useful for rapidly building a view of your security posture and for catching APIs that might otherwise go unmanaged and unsecured.
While API security posture management is concerned with enterprise-wide security, API security testing is very much about individual APIs. At its most basic, API security testing helps identify and prevent vulnerabilities and their associated risks by testing the API runtime – the application running behind the API. It helps ensure that basic security requirements have been met, including conditions for authentication, authorization, rate limiting, and encryption.
Key functionality:
Representative technologies:
There are both open source contract-testing tools and commercial products from dedicated API security vendors. The application security testing (AST) market has existed for decades, and increasingly many vendors offer dedicated scanning and testing tools for APIs.
API runtime protection refers to securing APIs as they operate and manage requests. It prioritizes building security into the platform infrastructure as well as the code of the APIs themselves. The objective is to identify and prevent malicious API requests that emerge after deployment.
Key functionality:
Representative technologies:
Not all API gateways and WAFs/WAAPs are created equal. Some services, particularly the native solutions available on cloud and other platforms, lack the global visibility and standardization required in multi-cloud and hybrid architectures.
Given the importance of securing APIs, it is essential to approach API security in an organized way. Platform engineering and security leaders must work together to address security requirements across the API lifecycle. As we explored earlier, this roughly aligns to three main areas of practice: API security posture management, API security testing, and API runtime protection. In other words, you need to focus on knowing how many APIs you have, how to test them for errors, and how to build security into your code.
Like all cybersecurity, API security is an ongoing process that requires collaboration with many stakeholders, including network engineers, security operations leaders, platform engineering leaders, and software development engineers. The good news is that it’s no great mystery how to secure APIs.
Most organizations already have measures in place to combat well-known attacks like cross-site scripting, injection, distributed denial of service, and others that can target APIs. And many of the best practices described above are likely quite familiar to seasoned security professionals. No matter how many APIs your organization operates, your goal is to establish solid API security policies and manage them proactively over time.
Start your 30-day free trial of the NGINX API Connectivity Stack, which includes F5 NGINX Management Suite API Connectivity Manager to manage, govern, and secure APIs; F5 NGINX Plus as an API gateway; and F5 NGINX App Protect WAF and DoS for advanced API security.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."