In today’s expanding cloud landscape, application programming interfaces (APIs) have become a keystone of modern cloud infrastructure, with SaaS applications using these conduits to connect with other tools and ensure that data is shared where necessary.
However, the rise of API usage requires increasing diligence to ensure their security. This article will examine the core best practices of API security, including why many organizations should consider a dedicated API security solution.
What are APIs, and Why Do They Matter?
APIs ensure that enterprises can connect best-of-breed point solutions together into a unified technology stack by enabling different software systems, applications, or services to communicate and share data seamlessly. APIs provide standardized methods for requesting and exchanging data, letting disparate tools work together.
They’re immensely valuable in cloud computing, enabling the orchestration of services across diverse environments and multiple providers. They offer flexibility in building cloud-native applications, improving efficiency, and enabling policy enforcement across cloud services.
Additionally, APIs facilitate scalability, security, and real-time management of resources, making them crucial for a modern, agile enterprise.
Types of APIs
That need for flexibility and scalability has meant a proliferation of APIs in cloud architectures today. As cloud computing and microservices advance, smaller, independent services replace monolithic applications. However, each will require its own APIs to communicate. This service-oriented architecture increases the number of APIs as every microservice communicates with others via APIs. Add external services, from payment gateways to analytics tools or CRMs, and multiple APIs of different types have become commonplace.
APIs add complexity beyond their type. It’s also worth noting that other factors add to their complexity, from a lack of visibility to misconfigurations, excessive data exposure, inconsistent access control, third-party risks, and complex dependencies.
In addition, individual security concerns stem from different API types.
Private APIs
Private APIs are not meant for consumption outside the enterprise. These are typically created within engineering teams to connect custom systems or applications used internally. Because they’re inaccessible from the broader internet, these APIs are often the easiest to secure with cloud security tools and network gateways. Their primary security challenge is access control and authentication since they’re designed for internal use with restricted access.
Public APIs
As the name indicates, a “public” API provides broad access to certain features or data of a service, application, or platform. They’re accessible to external developers, third-party applications, and the general public. These APIs tend to be used to extend the functionality of a product or service, with third-party developers building applications or integrations on top of them. These APIs create the biggest security risk because of their public availability. Key challenges include rate limiting and throttling (which control the number of API requests a client can make within a specific time frame), data exposure, input validation and injection attacks, and encryption.
Partner APIs
These APIs are similar to public APIs, but the difference lies in access. Partner APIs are only made available to specific partner organizations like customers, affiliates, or collaborators to control access to different data or services. Permission is often managed with some form of authentication. The native integrations from SaaS applications fall into this category. Their more pressing security challenges include trust and authentication, granular access control, compliance and data protection, and monitoring and auditing.
Third-Party APIs
Third-party APIs are valuable because of the functionality they deliver. Developers use these to save time in development and incorporate specific capabilities or data quickly. Yet they come with an inherent lack of control over the external service, and organizations using these services must trust the security of their providers — but also mitigate security risks like data privacy and compliance, API reliability and availability, access control, and security monitoring and auditing.
Common API Protocols and Their Security Challenges
Each of the above types of APIs can operate on any of the standard communication protocols, adding another layer to their basic security requirements of access controls, encryption, monitoring, and validation mechanisms to mitigate vulnerabilities. The four most common are:
- REST
- SOAP
- RPC
- GraphQL
REST API Security Considerations
The Representational State Transfer (REST or RESTful) protocol is the most common, with 85% of APIs using this protocol. It’s lightweight and stateless (it doesn’t store user sessions), making it ideal for web and mobile applications, where speed and ease of use are key. It’s also easy to create, relying on standard, widely known HTTP protocol and easy-to-read data formats like XML and JSON. The simplicity of REST APIs makes them accessible but leaves them prone to misconfigurations. Securing REST APIs means:
- Consistent monitoring
- Strong authentication
- Encryption
- Proactive threat detection
SOAP API Security Considerations
Simple Object Access Protocol (SOAP) APIs have stricter standards than REST APIs, and are typically used where reliability, transaction security, and strict communication standards are crucial. It operates with more rigid protocols than REST, often in scenarios that require formal contracts between services, like financial and healthcare services and government data exchanges.
With SOAP APIs, security considerations include its built-in WS-Security, which adds layers for message integrity and confidentiality. That means that:
- SOAP messages can be encrypted and signed, ensuring unaltered data in transit.
- SOAP includes strong authentication mechanisms, like Security Assertion Markup Language (SAML), which adds a layer of trust between parties.
- SOAP can store data, maintaining state across operations. That makes it more useful for complex transactions and critical to keep secure. SOAP’s complexity can make it more difficult to implement than REST.
Remote Procedure Call (RPC) Security Concerns
RPC allows applications to execute procedures or methods on another system over a network. It’s used where direct, low-level communication is required, such as internal services or systems management. RPC is powerful but risky because of its direct nature, allowing fast, efficient communication between systems.
This protocol comes with its own security concerns, including:
- Direct access to services: RPC allows direct calls to execute functions remotely.
- Authentication and access control: To ensure only authenticated users can invoke remote methods.
- Input validation: While a concern for all APIs, RPCs are particularly vulnerable to infection attacks because they deal directly with function execution.
GraphQL Security Considerations
GraphQL is a more modern API protocol designed for efficiency and flexibility, allowing clients to specify the data they need from a service and reducing over-fetching and under-fetching issues common with REST APIs. It’s widely adopted for front-end applications where flexibility in data querying is a priority.
GraphQL empowers non-developers to write and understand data queries, but because of that power, it is often limited in scope. Security tools can reduce GraphQL APIs to their single HTTP endpoint without looking at queries individually.
Specific security concerns with this type of API include:
- Fine-grained access control: Since clients can query exactly what they need, organizations must implement fine-grained authorization to ensure users can only access what they’re permitted to. Field-level authorization is crucial to securing GraphQL APIs.
- Query complexity and Denial of Service (DoS) attacks: From excessively complex or nested queries.
- Authentication: GraphQL APIs can expose multiple data sources in a single session.
API Security Best Practices
As APIs proliferate, they present an expanded attack surface, making API security an indispensable component of an organization’s security strategy. Yet, the different types of APIs and their diverse protocols make a monolithic “API Security Strategy” a myth. Instead, multiple approaches are required to safeguard sensitive data, maintain compliance, and mitigate risks.
However, there are some foundational best practices to be aware of in API security.
Create and Maintain an API inventory
Without an accurate inventory, shadow APIs or undocumented endpoints may remain vulnerable to exploitation. Tools that dynamically catalog and map APIs in real time help security teams maintain a clear understanding of their API landscape, identifying risks like internet exposure, data sensitivity, and documentation drift, thus mitigating security threats proactively.
Identify API Risks & Vulnerabilities
Effectively securing APIs requires continuous identification and management of risks. Leveraging real-time monitoring tools, teams can assess vulnerabilities like insecure internet communication, outdated components, and API drive, where documentation and implementation fall out of sync. Detecting these issues early helps ensure APIs stay aligned with security standards throughout their lifecycle.
Use Encryption
Encrypting API traffic is a critical step in securing all types of APIs. Encrypting data both at rest and in transit means sensitive data remains unreadable to attackers, limiting the impact of any intercepted or extracted data. Using automated tools to detect and encrypt API communications helps organizations stay compliant with standards like GDPR and HIPAA, too.
Implement Strong Authentication and Authorization
API requests must be authenticated using modern protocols like OAuth or JWT, which work to securely transmit information or login without sharing credentials across the internet. It’s easier to ensure that robust authentication and authorization are protecting APIs by integrating runtime insights to verify identities and enforce granular access policies, ensuring the right permissions are enforced at every endpoint.
Use Rate Limits and Throttling
To protect APIs from being overwhelmed with excessive requests, implement rate limits and throttling. Controlling the frequency of API requests prevents abuse like Denial-of-Service (DoS) attacks or accidental overconsumption of resources by legitimate users. With rate limits and throttling, APIs remain responsive and secure under high loads.
Modern Challenges in API Security
The widespread use of APIs has made them attractive targets for cyber attacks, and has meant that organizations need to do more to secure their APIs than institute a static strategy and step aside. Achieving effective API security means monitoring emerging threats, implementing proactive defenses, and adapting to sophisticated attacks.
A few of the modern challenges facing API security processes include:
- The evolving nature of visibility into organization APIs: Much like internet-accessible assets, APIs can often function without full knowledge of the IT or security team, as business leaders can implement new services off the radar of security teams or across silos. Knowing which APIs are making requests within the corporate architecture is paramount.
- Understanding normal API traffic patterns in depth and at scale: APIs should function the same way each time, connected to the same two systems and communicating back and forth. But that’s not always the case. Understanding the normal traffic patterns of an API can help security teams better recognize when an attack may be in progress or not. Behavioral monitoring and analysis are key, but this can be challenging as the scope and sheer number of APIs grows.
- Staying a step ahead of dependencies: APIs might be developed using specific open-source projects or even be open-source themselves. Understanding any dependencies the API may or may not have can keep the security team aware of any possible risks, but achieving this at scale can tax even the best-resourced teams.
- Tracking identity and resource permissions: The modern challenge of API management goes beyond the access control on most teams’ radar. API sprawl, microservices, and hybrid cloud environments all add complexity that requires enforcing fine-grained permissions consistently. The complexity can result in over-permissioned APIs that open attack surfaces for lateral movement and data breaches.
There are multiple challenges in securing APIs today. Shadow APIs, API sprawl, and complex dependencies may all introduce vulnerabilities. First, organizations need a clear understanding of their APIs and how they communicate, and only then can they engage effectively to secure those APIs and keep scaling operations in the modern cloud.
Why Is API Security Important?
APIs are a fundamental building block of the modern digital landscape. Enterprise applications connect with each other using APIs to share data bidirectionally and ensure employees can perform their day-to-day jobs. Consumer applications use APIs to query data in backend systems, ensuring they deliver quick results at the moment they’re needed.
Because APIs provide a backend framework for a majority of cloud-native applications, like mobile apps, web apps, and SaaS products, securing them against attacks is vital. In fact, most internet traffic (71%) in 2023 was API calls. The typical enterprise site saw about 1.5 billion API calls in the same period.
The precipitous rise in API calls makes these connection points highly attractive for threat actors. Moreover, because APIs often expose application logic, resources, and sensitive data — including personally identifiable information (PII) – attackers have started to pay attention. Threat actors are now attacking APIs in higher and higher volumes.
API Security Risks: The OWASP Top 10
The Open Worldwide Application Security Project (OWASP) developed a list of the top 10 API security risks. Reviewing this list of common failures in APIs is a vital first step toward ensuring strong API security. The top 10 risks include:
- Broken object-level authorization: APIs often expose endpoints that handle object identifiers. This creates a wide attack surface of object-level access control issues, which can be resolved with object-level authorization checks in every function that accesses a data source using identification from the user.
- Broken authentication: Authentication mechanisms can be implemented incorrectly, which allows attackers to compromise tokens or exploit implementation flaws to assume other users’ identities temporarily or permanently.
- Broken object-property-level authorization: This category merges two older security risks – API3:2019 Excessive Data Exposure and API6:2019 – Mass Assignment – and focuses on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties.
- Unrestricted resource consumption: Satisfying API requests requires resources like network bandwidth, CPU, memory, and storage. Resources like emails, SMS, phone calls, and biometrics are available by service providers via integrations and paid for per request. Overloading the API with requests can lead to denial of service or higher operational costs.
- Broken function-level authorization: Complex policies for access control with multiple hierarchies, groups, and roles with an unclear distinction between administrative and regular functions tend to lead to authorization flaws. When attackers exploit these issues, they can access other users’ resources and/or administrative functions.
- Unrestricted access to sensitive business flows: This risk refers to APIs that expose a business flow, like buying a ticket without compensating for how the functionality could harm the business if automated and used excessively.
- Server-side request forgery (SSRF): Server-side request forgery (SSRF) flaws can happen when an API retrieves a remote resource without validating the user-supplied URI. This enables attackers to trick the application into sending a crafted request to an unexpected destination, regardless of whether it’s protected by a VPN or firewall.
- Security misconfiguration: APIs and the systems supporting them typically contain complex configurations meant to make the APIs more customizable. Software and DevOps engineers can easily miss these configurations or not follow security best practices when it comes to configuration, which opens the door to attacks.
- Improper inventory management: APIs often expose more endpoints than traditional web applications, making proper documentation vital. An updated inventory of hosts and deployed API versions is also critical to mitigate issues such as deprecated API versions and exposed debug endpoints.
- Unsafe consumption of APIs: Developers will often trust data received from third-party APIs more than user input and so tend to adopt weaker security standards. Attackers may go after integrated third-party services instead of trying to compromise the target API directly as a result.
Secure APIs with Upwind
The Upwind platform is purpose-built to secure all applications running in the cloud. Its runtime API security offering provides key protection for all APIs in real-time, protecting critical functions from external cyberattacks and configuration issues alike.
With Upwind, customers can:
- Discover & Catalog APIs – Discover and catalog APIs regardless of configuration or type, including HTTP, RESTful, GraphQL, SOAP, and more. Upwind provides insight with rich context around resources and endpoints, including internet exposure, ingress communication, drift detection, and sensitive data flows. Upwind also enables security teams to track and monitor API requests over time and view response codes.
- Scan & Test for API Vulnerabilities – Upwind empowers customers to focus on the most critical API vulnerabilities with a rigorous testing methodology to identify and address vulnerabilities for a proactive security stance. Upwind also features continuous automated scans for ongoing vulnerability assessments, reducing manual effort and ensuring real-time protection.
- Detect & Stop API Threats – Upwind continuously monitors API traffic for potential threats, including behavioral analysis to identify anomalous patterns. Upwind also integrates with automation workflows to provide a streamlined response to API threats.
To learn more about Upwind’s API security solution and advice on best practices, schedule a demo.