6 Principles of a Holistic API Security Strategy

There’s a very real chance that, were you to try, you could not identify every API endpoint in your environment right now. Unfortunately, you may not be able to say the same for malicious actors. If an endpoint exists, it can be used as a way in or as an avenue to disrupt critical business functions.

In addition, exposing APIs publicly opens you up to receiving queries from a myriad of customers, partners, and apps. This exposure also opens your organization up to compromise, so APIs are critical to understand and monitor. There are a number of risk controls that need to be considered to protect your organizations from the vulnerabilities and potential threats APIs can expose that might lead to breaches and downtime.

For any defender, API discovery is the first, critical step to securing APIs. It might go without says, but there is nothing more true than the saying “you cannot protect what you cannot see.” Having a complete API inventory serves as the starting point for developing or improving any API security posture, helping you understand and quantify your entire API threat surface. It serves as the baseline for:

• Visibility: By cataloging all available APIs you improve insights into your API threat landscape including vulnerabilities, sensitive data exposure, and unauthorized or forgotten endpoints.
• Version control: Establishing an inventory helps with version management— knowing the history and different versions of APIs helps you retire outdated or vulnerable versions or secure them properly.
• Monitoring: A centralized, complete API inventory allows you to better monitor and log API usage, making it easier to detect and respond to suspicious activity (anomalies) and potential security events—plus, in the event of an incident a clear inventory can aid in your response.
• Consistent security controls and policies: Having this visibility, including a complete API inventory, allows you to implement controls and policies effectively across your entire API threat surface.

It's a classic struggle. On the one hand, the urge to be bold, to push the boundaries, to do what your competitors can't is a cornerstone of any successful business. But on the other, staying secure doesn't always play nice with the newest innovations.

The key to striking the balance is threefold:

• Design an API governance strategy for each type of API in order to set the appropriate security controls.
• Implement API security policies that can be consistently enforced wherever APls are deployed.
• Adapt to emerging threats, anomalous behavior, and malicious users that attempt to exploit or abuse APls using Al to decrease the burden on security teams.

Depending on your industry, compliance standards will vary, with some requiring more stringent security than others. Regardless, it is essential that your API security posture is robust enough to face a barrage of threat vectors.

API security testing is not a one-time deal. Testing before, during, and after deployment is critical. By building testing into every stage of development, you gain many more opportunities to identify weaknesses and vulnerabilities before a breach happens. And while security-specific testing tools are great, don't forget about security use case modeling as well.

Security needs to run in the same continuous lifecycle of apps themselves, meaning tight integration within CI/CD pipelines, service provisioning, and event monitoring ecosystems.

Just like there is no one food that will keep us fully nourished, there is no single security control that will completely protect APIs. Instead, you need to develop a strategy that employs a well-rounded ecosystem of tools as part of a holistic app and API security architecture. That includes detection and in-line enforcement giving you the ability to control API behavior, limit undesirable or malicious activity, and block sensitive data from being exposed.

This may include a combination of capabilities and tools including:

• An API gateway
• App security testing (SAST and DAST)
• A web application firewall (WAF)
• Data loss prevention (DLP)
• Bot management
• DDoS mitigation

API gateways provide robust inventory and management capabilities but only provide basic security such as rate limiting that will not deter sophisticated attackers. Additionally, API proliferation is leading to tool sprawl—including API gateway sprawl.

App security testing is always critical but shift-left methodologies for robust application security during development need to be augmented with shield-right practices—namely securing API endpoints in production. 

Web application firewalls provide a crucial stopgap to mitigate application vulnerability exploits with signatures. APIs are susceptible to the same types of injection attacks as applications they support—attempting to execute unintended commands or access data. But WAFs typically lack the dynamic discovery capabilities necessary to continuously detect unknown (shadow or zombie) APIs and issues including behavioral anomalies with APIs and potential exploits of the business logic.

Sensitive data detection and data loss prevention capabilities help protect APIs and the data they access and transmit by detecting and masking sensitive critical data including personally identifiable information (PII) and financial information. This allows organizations to create data protection rules to limit or mask data transmission and block API endpoints from exposing data altogether—helping prevent data leaks via APIs.

Bot management for APIs cannot rely on commonly used security controls such as multi-factor authentication (MFA) and CAPTCHA, as API traffic is typically machine-to-machine and there is no direct human interaction except within user interfaces into API-based systems. 

Traditional DDoS mitigation focuses on network and volumetric attacks, whereas APIs can be subject to targeted layer 7 attacks that abuse critical business logic. The end result is the same—performance degradation and, potentially, downtime.

Dynamic API discovery, schema enforcement (positive security), access control, and automated anomaly detection and protections based on machine learning have emerged as critical ecosystem capabilities for defending APIs. It’s important to have a tool or multiple tools that are fluent in API protocols and allow for the enforcement of proper API behavior and the creation API protection rules. Organizations need to be able to create custom rules that specifically  govern APIs and API behavior. This includes allow and deny list controls, rate limiting, geo-IP filtering, and custom rule creation to act on API requests including masking sensitive data and match and request constraint criteria for specific API endpoints or groups.

API proliferation is driving untenable architectural sprawl across hybrid and multi-cloud environments. Again, API sprawl has led to API gateway sprawl as many security tools cannot provide consistent security across multiple architectures such as data center, private/public cloud, and the edge. Visibility and control of API traffic across the entire digital ecosystem is imperative for mitigating the next critical vulnerability, and for preventing misconfiguration that can occur when endpoints are distributed across different cloud providers.