With the meteoric rise of microservices and the rush to build more applications more quickly, APIs are being used more than ever to connect services and transfer data. But with a growing number of smaller application "pieces" trying to communicate with each other, APIs (your own and those from third parties) are becoming increasingly challenging to secure.
Add to that the pressure that developers are under to produce—a lot—and you could easily have a recipe for a security disaster.
The most critical API security risks include: Broken object level, user- and function-level authorization, excessive data exposure, lack of resource, security misconfiguration, and insufficient logging and monitoring.
The implications of these and other risks are huge. In fact, some of the biggest security breaches of late were due to an API vulnerability. This includes the infamous Cambridge Analytica breach, where a Facebook API loophole exposed personal information about more than 50 million people. And that's just one of dozens of examples of sensitive personal and competitive information laid bare by improperly configured and/or secured APIs.
With the volume and velocity of microservice-based applications increasing, organizations need to take API security more seriously than ever by putting a development pipeline in place that considers and applies security from end to end.
The nature of a particular business and the industry it's in will drive many API security considerations. Here are 10 best practices to ensure not only are APIs are properly secured, but also that they are secured based on how they are being used.
Here's how to get your API security house in order.
1. Identify vulnerabilities
The only way to effectively secure APIs is to know which parts of the API lifecycle are insecure. Of course, that's easier said than done, especially as the organization's use of APIs scales. It is important to consider the whole API lifecycle, since APIs need to be considered software artifacts on their own and, as such, must follow a complete lifecycle, including maintenance and retirement.
2. Leverage OAuth
One of the most important aspects of API security is access control for authentication and authorization. A powerful tool for controlling API access is OAuth, a token-based authorization framework that allows information to be accessed by third-party services without exposing user credentials.
3. Use tokens
The use of tokens, in general, is a good API security best practice. Developers can use tokens assigned to identities as a relatively simple yet effective way to establish trusted identities and control access to services.
4. Encrypt data
This cannot be stated more strongly or more often: All data, especially personally identifiable data, should be encrypted using a method such as Transport Layer Security (TLS). Developers should also require signatures to ensure that only authorized users are decrypting and modifying data.
5. Use rate limiting and throttling
As APIs' popularity increases, so, too, does the target on their backs. APIs are a prime target for DDoS attacks, for example. To avoid DDoS attacks, as well as API spikes and other issues that affect performance and security, place rate limits on how and how often your API can be called. Rate limiting can also throttle connections, balancing access with availability.
6. Use an API gateway
API gateways act as the major point of enforcement for API traffic. A good gateway will allow organizations to authenticate traffic, as well as to control and analyze how APIs are used.
7. Use a service mesh
Like API gateways, service mesh technology applies another layer of management and control as it routes requests from one service to the next. A service mesh optimizes how all of these moving parts work together, including ensuring that proper authentication, access control, and other security measures are put into place.
A service mesh is especially critical as the use of microservices scales. In fact, with the explosion of microservice deployment, API management is moving to the service communication layer with solutions available at the service mesh layer. Automation becomes critical to support the increase in the number of APIs.
8. Adopt a zero-trust philosophy
In the perimeter security model, what’s "inside" is trusted and what's "outside" is not trusted. The network is not that simple anymore, which is why a zero-trust model (ZTM) makes sense—especially with remote users. With a ZTM, the security focus shifts from location to specific users, assets, and resources.
9. Validate parameters
Validating parameters will help ensure that incoming data will not cause harm. In this framework, all incoming data is validated against a strict schema that describes permissible inputs to the system.
10. Develop a threat model
Threat modeling is a structured approach to identifying and evaluating risks. Threat models are best used as a preventative measure, but they should also be considered a continuous cycle for assessing, mitigating, and preventing application vulnerabilities in an automated yet controlled fashion.
It will only get worse
As organizations continue to break down monolithic applications into microservices and move farther down the cloud-native path, the use of APIs will continue to grow—and potentially grow more vulnerable. Ensuring that the 10 best practices listed here are followed will not guarantee 100% API security, but it will go a long way toward fortifying your application infrastructure.
This article includes contributions from Bolesław Dawidowicz and Hugo Guerrero Olivares, members of Red Hat's middleware and application services team.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
