APIs (application programming interfaces) are not only the connective tissue between applications, systems, and data, but also the mechanisms that allow developers to leverage and reuse these digital assets for new purposes. APIs factor into almost every digital use case, and their role in security news isn’t an intrinsic flaw in APIs any more than vaults are categorically flawed simply because some of them have been cracked.
But the headlines nevertheless reinforce an important message: if API security isn’t at the top of an enterprise’s 2019 priorities, that list of priorities is incomplete.
Indeed, the mandate for API security is becoming something of a consensus:
- In the December 2017 report “How to Build an Effective API Security Strategy,” Gartner analysts Mark O’Neill, Dionisio Zumerle, and Jeremy D’Hoinne predict that “[b]y 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
- The OWASP Top 10, a respected list of web security threats, features dozens of references to APIs. Its explicit warnings include cautions against APIs that transmit sensitive data without protection, APIs whose traffic goes unmonitored for suspicious behavior, and APIs that use vulnerable components.
- Healthcare organization HIMMS issued a report in 2018 detailing the risk unsecured APIs can pose to sensitive healthcare data.
Surveys indicate enterprises are already particularly concerned about the threats bots and distributed denial of service (DDoS) attacks represent to APIs. Despite these concerns, opportunities remain ripe for bad actors — especially when enterprises lack insight into how their APIs are being leveraged. Many organizations remain unaware of how many APIs they’ve even deployed, whether anyone is using the APIs, or if the APIs are driving traffic.
And of course, the importance of API security is testified to by the growing number of API-related breaches and security incidents. One vulnerability at a government institution allowed any logged-in user to inappropriately query the system for other users’ private details, including email addresses, phone numbers, and street addresses, for example. Others have exposed even more sensitive data. The vulnerabilities and the damage they impart vary — but the point is, relying on poorly-designed and managed APIs arguably grows riskier with each passing minute.
How should enterprises address this rising threat? Here are four tips that we on Google Cloud’s Apigee team recommend.
Treat TLS as the foundation
- “Transport layer security,” or TLS, encrypts traffic, helps ensure the client is communicating with the correct server, and is the foundation of API security. No API should go without it.
- Keep up with TLS changes — because they are frequent. Many API teams test TLS configurations with services such as the SSL Server Test from Qualisys SSL Labs.
- Consider going beyond encryption with trace tools, data masking, and tokenization.
Focus on authentication
- The ability to control API access is a cornerstone of effective API security. Enterprises should use OAuth to authenticate users.
- Authenticate both end users and applications.
Use rate limiting to keep brute force attacks at bay and manage traffic
- Use rate limits to protect against brute force attacks. For example, a hacker might use automated software to generate a large number of consecutive login attempts by systemically guessing passwords. If the API is not protected by rate limits, it may allow this attack to continue indefinitely or until it succeeds.
Use behavioral patterns and machine learning to put bad bots in their place
- Monitor not only API access but also traffic patterns in order to spot suspicious behaviors.
- Apply sophisticated algorithms and machine learning to spot bad bots, and note that approaches that work for network or web attacks may not be effective for APIs.
One of the few sure things in enterprise IT is that as long as businesses use technology, bad actors will try to find vulnerabilities. The challenges are numerous, but they are also an unavoidable part of being successful, as the more digital success a company has, the more attackers it is likely to attract.
The above tips are a starting point, but enterprises need to be proactive, always aware that striking the balance between making APIs user-friendly for developers yet protected from attackers is a delicate and iterative process. And technical considerations aside, there is also the human side of security — the terms of service that an enterprise sets around the use of its APIs, the way it communicates changes to its API or responds to a breach, etc.
Though there’s no room for complacency, enterprises are not captive to bad actors and their increasing sophistication. Businesses that place the proper focus on API security will be doing their best to ensure that if those API security headlines pop up throughout 2019, they’ll be referring to other companies’ breaches.
[Looking to learn more about API security? Get your copy of our recent eBook, Inside the API Product Mindset: Building and Managing Secure APIs.]