More companies are relying on APIs to build their applications and to communicate internally or with other systems and even customers. While this makes API development a trend, it also attracts unnecessary attention from hackers who aim to exploit the gaps in your API security. For example, in 2021, 5.4 Million Twitter (now X) user records containing non-public information were stolen due to an API vulnerability. Similarly, Facebook also suffered from an API flaw that led to hackers stealing access tokens of 50 million users in one of the most significant API security failures to date.
API threats and attacks will only continue to grow. However, there is still confusion regarding how to effectively secure APIs. Considering the mixed messaging and oversaturation of API security tools and acronyms that exist, this is understandable. Do you choose a Runtime Application Self-Protection (RASP), Cloud Workload Protection Platform (CWPP), a Web Application and API Protection (WAAP), or use a Web Application Firewall (WAF) to secure your APIs? This article covers some of the most preventive strategies your company should consider, implement, and periodically review to ensure your API environment remains secure. Additionally, we will also cover some of the most common pitfalls that come with these security measures when securing APIs.
Summary of eight strategies for secure APIs The table below lists eight points that should be part of your strategy to enhance and, more importantly, maintain a secure API environment.
Strategy Description OWASP Top 10 API Checklist Evaluate the effectiveness of your overall API security strategy by measuring against the OWASP Top 10 and seeing if you have solutions in place for all ten security flaws. Secure authentication Implement strong authentication mechanisms, such as API keys, OAuth, or JWT tokens, and use secure methods like HTTPS to transmit authentication credentials. Documentation and API versioning Clearly document security requirements, authentication methods, API endpoints, and the data classification the API handles. Shadow and zombie API discovery Discover all your hidden, undocumented APIs and ensure they’re never forgotten. API testing Regularly perform API testing to identify and address vulnerabilities from an external perspective. Security patching Regularly update and patch all software dependencies and frameworks to address known vulnerabilities. It also includes the OS server or the environment where the API is hosted. Continuous security monitoring Implement continuous security monitoring to detect and respond to security threats in real time. Ensure you and/or your security team stay up-to-date on the latest incident response best practices like those covered in this article, and train your security team to respond to incidents. Using an API security platform with an integrated runtime protection approach, not a Web Application Firewall (WAF) WAFs cannot effectively protect APIs because they don’t understand them. An API security platform that is truly API first is geared toward helping security teams create and actually enforce tailored security policies that work.
Eight strategies to achieve API security For the rest of this section, we’ll take a closer look at the eight steps and provide examples for each.
#1 OWASP Top 10 API Checklist Open Worldwide Application Security Project (OWASP ) is an online, volunteer-based community devoted to a secure internet, i.e., to secure web applications and APIs. It is especially famous for its regularly updated top 10 lists, which cover the most critical risks the developer community recognizes as a threat to a safer web. The current Top 10 checklist for API is OWASP API Security Top 10 2023 , which covers issues like broken authentication, improper inventory management, server-side request forgery vulnerability (SSRF), etc.
OWASP API Top 10 (2023) Broken Object Level Authorization Broken Authentication Broken Object Property Level Authorization Unrestricted Resource Consumption Broken Function Level Authorization Unrestricted Access to Sensitive Business Flows Server-Side Request Forgery Security Misconfiguration Improper Inventory Management Unsafe Consumption of APIs
While we will cover some of these issues in the following sections, coverage of the entire OWASP Top 10 for API is out of the scope of this article. Interested readers can read this article , where we explain each of the elements of OWASP Top 10 for API 2023 in detail and compare it with its predecessor, the 2019 list.
#2 Secure authentication Authentication is identifying yourself against the API backend before your API request is accepted and processed. While many different authentication mechanisms can be used to authenticate, three are the most popular:
API keys This is by far the most popular API authentication mechanism used in practice. Each user or “API consumer” is given an API key to present in each API request so the server can identify the user requesting data from the API. In the example below, the API key is sent only as a GET parameter in the URL for illustrative purposes. In practice, since URLs are logged, always send the API key in a custom HTTP header to prevent the API key from being leaked.
Authentication with an API key (source ) JSON Web Token (JWT) Similar to a cookie, it stores information that uniquely identifies the user, such as the username, permissions, etc. This token is usually digitally signed to prevent tampering with it.
OAuth 2.0 OAuth 2.0 is an industry-standard protocol that allows third-party entities to access resources on behalf of the user who authorized it. In the context of API authentication, the user uses his/her credentials to request an access token against a token endpoint. The returned access token is then used on every subsequent call against protected endpoints to authenticate the user. While this sounds very similar to API keys, two major differences are that these access tokens have an expiration date and can also be used to specify or limit the permissions of the access token holder, i.e., the level of authorization.
Authentication via OAuth2.0 tokens (source ) Implement authentication mechanisms correctly While authentication might sound straightforward, many things can go wrong during implementation. A good example of the consequences of improper authentication is what happened in Bangladesh in 2023, where the data of millions of Bangladeshi citizens was accessible to everyone because the developers didn’t use any authentication or authorization mechanisms.
Even when authentication is implemented, how it is used is also essential. For example, as mentioned above, JWT tokens are digitally signed tokens using a safe cryptographic algorithm. However, the developer might also forget to use a proper cryptographic algorithm and leave it to ‘none , ' which translates to no cryptographic signing at all. This allows an attacker to modify the JWT token, e.g., changing permissions from a simple user to an administrator. Additionally, if the secret key used to sign the token is leaked or stored insecurely, its theft would allow an attacker to forge JWT tokens of any kind. Needless to say, any kind of authentication token or key must be transferred securely via HTTPS to avoid interception along the way.
While developers might forget to test the authentication workflow properly, you can trust API security platforms like Impart Security to prevent unauthorized access and check for authentication issues, such as weak authentication, basic authentication, or no authentication at all.
Free guide to API rate limiting
#3 Documentation & API versioning Documentation is an important step of every application, whether on the web or API endpoint. It clarifies the API structure, how to use it, how the authentication works, what API endpoints can be used, its version, etc. This has multiple benefits for different entities:
API consumers can read the documentation to learn how to properly use the API.Developers can recollect how the API works years after it was developed or for ramping up on new API projects. Security analysts can evaluate the security of an API and its dependencies, especially when checking for deprecated API versions. Documentation is often a cumbersome, manual task that developers often try to avoid, which might lead to incomplete documentation. Additionally, while it is often not mentioned in the API documentation, the nature of the data these API endpoints serve is also essential to document. Based on the nature of the data, an organization might be obligated to follow and comply with regulations like the General Data Protection Regulation (GDPR ) or the Health Insurance Portability and Accountability Act (HIPAA ). To ensure your organization is compliant and to take the documentation burden off developers’ shoulders, consider using an automated API Discovery solution which also handles and automates the documentation process.
#4 Shadow and zombie API discovery Shadow APIs are actively used APIs that are not documented or tracked by an organization. Similarly, zombie APIs are abandoned, forgotten, or outdated APIs that are barely used anymore. Both shadow and zombie APIs can pose a significant threat to your entire API environment. The reason for that is simple: an unmanaged API endpoint will not receive security patches, and it will not be in the scope of security tests or part of any monitoring or asset management process. This makes shadow and zombie APIs the Achilles’ heel of your entire API environment, as their compromise might shatter your company’s reputation despite efforts to secure all documented or actively used API endpoints. To make matters worse, since these API endpoints are not monitored, their compromise or data leak might last a long time before the compromise is discovered.
Impart Security - API Discovery (source ) That is why investing in solutions that specialize in the automated discovery of shadow and zombie API endpoints before they are exploited and become a security liability is crucial.
#5 API testing In an ever-changing cybersecurity landscape, it is important to perform API testing of your API endpoints regularly. This allows your company to test the APIs from an attacker's perspective and discover security flaws that any threat actor might exploit on the internet. Remember that a patched API environment doesn’t necessarily mean that your APIs are secure. Issues such as broken authentication, exposed unprotected APIs, misconfigurations, data exposure, etc., might still be present in a patched environment. Therefore, regularly testing your API environment is a necessary process that goes hand in hand with the security patch process. For a concrete list of API security tests to conduct and what best practices to follow, consider reading this detailed article on API security testing .
#6 Security patching As with every other software, security vulnerabilities also impact APIs in their components or wherever they are hosted. This includes:
The server where the API is hosted The Operating System (OS) of the server where the API is hosted The web/API framework the API is written with The packages and dependencies used in the source code of the API Third-party integrations within the API code (e.g., JavaScript resources from third parties that might be compromised as part of a supply-chain attack). Therefore, having a patch management process that checks for vulnerabilities and patches them as soon as possible is important to reduce the overall attack surface on your APIs.
Learn about 2023 OWASP API Top 10 Changes
#7 Continuous security monitoring API security is not a one-time activity. Instead, it is an ongoing process that needs to be constantly monitored. Monitoring is not limited to purchasing security tools and expecting to set them up and forget about them, but also designing incident response plans, training developers to follow the best security practices, and creating and training an incident response team that can react to the threat in real time.
Unfortunately, resource-strapped teams find it challenging to monitor while keeping up with the increasing number of security incidents. To reduce the burden on small security teams, consider choosing a comprehensive API security platform that aids with continuous API monitoring of all endpoints (shadow or not), protects against DDoS attacks, and provides an overview of high-risk endpoints in real time. This makes it easier for the security team to measure the security posture of their API environment and better understand the assets that need to be monitored. After all, the first step of every defense is knowing precisely what you need to protect.
Impart Security - Security Monitoring of API Endpoints (source ) #8 Using an API security platform with an integrated runtime protection approach, not a Web Application Firewall (WAF) While WAFs shield web applications, their limitations create vulnerabilities for APIs when used as the only line of defense. Below are some limitations that necessitate a more proactive and integrated protection approach, including discovery, testing, remediation, and posture management, which requires an API security platform with more than mere firewall functionality.
API first: WAFs lack a native understanding of the entire API lifecycle, whereas a true API security platform brings findings from the entire lifecycle of every API, spanning design, development, and testing phases, to where it matters—the runtime. Internal attacks and third-party interactions: They're oblivious to threats within your network (east/west traffic) and with third-party APIs that your APIs might depend on. API endpoint-specific policies: WAFs aren't capable of offering or deploying per endpoint (security) policies without a lot of overhead. They are not meant for API endpoint management, scanning, or discovery but only to serve as a shield for attacks from the internet. No testing: WAFs don’t test API security before production deployments and often lack integration with CI/CD processes. Additionally, they do not contribute to validating runtime findings during testing. No remediation: WAFs are a tool meant for security operations teams to block attacks and do not help application security teams fix root causes like API security platforms do. Without fixing the root cause, it will only be a matter of time for attackers to find a method to bypass the WAF defense and deliver the exploit. This makes finding and remediating or fixing the root cause crucial. Remember, WAFs are helpful allies, but for robust API protection, consider additional layers of integrated functionality such as the ones provided by modern platforms like Impart Security .
Mistakes to avoid while securing API This section covers some common mistakes you might unintentionally commit while securing your APIs:
#1 Outdated documentation In many cases, the API documentation is written when the API programming ends, and it is never to be updated again. It is important to emphasize that API documentation is an ongoing process, and it is advisable to use an API security platform that automates document management. Otherwise, outdated documentation might lead to many consequences, such as the compromise of an undocumented API that was out of scope for testing or patching.
#2 Monitoring, but not responding In our experience, many security practitioners purchase security tools to monitor their environment, expect to set them up and forget about them. They do not have incident response plans or a properly trained security team to react to incidents. Similar to having cameras but not reviewing the footage, monitoring by itself is insufficient. Ensure that your security team is properly trained, regularly monitors the security tools for alerts, and uses well-prepared incident response plans for a swift response.
#3 Infrequent security tests It has often been seen in practice that penetration tests are only done when the API goes live or if there is a major upgrade. Note that securing APIs doesn’t only depend on its source code but also on your company’s environment, its dependencies, the ever-changing security landscape, etc. That is why it is important to evaluate your API security posture regularly to identify any new security holes in your defenses and react before it is too late.
Integrated API Security
Enforce API security inline without having to rely on a Web Application Firewall (WAF)
Choose between agentless and agent-based solutions to analyze HTTP headers and bodies
Discover APIs in minutes, detect a breach, and automatically defend attacks in one tool
Conclusion With API security breaches and data leaks increasing, creating and maintaining a secure API environment is important. That is why in this article, we covered eight different strategies to strengthen your overall API security posture ranging from following the OWASP API Top 10 to continuous security monitoring and using an API security platform, not a WAF. While this might look like a never-ending battle for your security team, your company can use a comprehensive API security platform that automates a part of these security checks to reduce the overall burden and make you and/or your security team more effective.