How to Implement an Effective API Security Strategy
API security has been a hot topic for the past year, and will continue to be one in 2023. The use of APIs has increased greatly over the last several years due to the ease of data transfer and the ability to reuse code across multiple applications. APIs are easy to develop and to integrate, which is facilitating a new era of interconnectedness on the internet. While this allows for innovation and better interaction between systems, it also means more complexity and risk. Thankfully, APIs are not new and we already know how to secure them.
What is an API?
An API (Application Programming Interface) is meant to allow two programmatic entities to interact. These systems can be internal or externally facing and often have some sort of data transfer involved. Any kind of data can be transferred via an API. (Since the data flowing can range from public to confidential, it is important for developers and leadership to understand what the sensitivity score of that data is based on their data classification policies and standards. This will help them determine which APIs should be subjected to the most scrutiny from a security perspective.)
To illustrate an API in action, a researcher could use an API to scrape social media data to provide insights into social patterns. Another use case may allow a patient to book a doctor’s appointment and blood work appointment through the same portal (via implementing APIs) without requiring them to make the appointments in two different web applications. Newer cars are being outfitted with APIs to remotely control vehicle functionality and ownership. In each of these cases APIs improve the user experience and streamline workflows.
Developers are able to stand up an API for specific or multiple use cases. This flexibility reduces how much coding is needed for their application to interact with other systems. There are several architectures and protocols related to APIs: SOAP, REST, json-rpc, and xml-rpc. Which one used will depend on the use case and what developers are looking to get out of an API. Regarding cybersecurity, the API security strategy is the same as an application security strategy: inventory, threat modeling, testing via tooling, and manual testing. The difference lies with what to look for and secure within an API.
Securing an API
API security is slightly different from a typical web application, but there are overlaps. Common web application vulnerabilities such as cross-site scripting are not necessarily in play, but authentication, information disclosure, authorization and misconfiguration are examples of issues that may be commonly identified. As a result, OWASP found it necessary to create a OWASP API Top 10 to complement the traditional OWASP Top 10.
The OpenAPI specification was developed by the development community to address API quality and design issues with security built into the specifications. This is an opportunity for security to align with development and design better APIs. Threat modeling is almost essential for understanding data flows and trust boundaries. It also opens an opportunity for security and development to walk through potential abuse cases.
Application security tooling can help identify vulnerabilities within code and help identify misconfiguration issues. There are several new flavors of tools on the market. It is vital to understand the use case and to document what problems you are trying to solve before deciding which solutions may be most beneficial. Other considerations with regard to how much configuration is required as well as how detailed your organization’s API documentation is may be factors in a procurement decision. There is a lot of misunderstanding with regard to which tools solve what problems. API Security tools range in capability from protection against attack, to discovery to API security scanning. We will continue to see this part of the market mature over time. Performing manual testing of APIs is always recommended in addition to automated testing.
To secure APIs, track vulnerabilities, etc., the security team needs to know where they’re located within an environment. Discovering APIs can be its own problem, and unfortunately there’s no easy answer. Many of the vendors in the API tooling space have discovery capabilities embedded in their solutions, but the success of these solutions may be determined by where and how they are implemented. Most organizations do not have a full inventory in place. In addition to creating an inventory, logging considerations should also be taken into account.
Strategies for Securing your APIs
API security was and will continue to be a hot topic. The strategy to secure it is not unlike other application security strategies. Inventory is key as we need to know where the APIs are in order to secure them. Threat modeling provides both security and development a better way to design APIs and to understand data flows and trust boundaries. Both manual and automated testing of APIs and their code to help identify vulnerabilities and misconfigurations will help reduce risk. Finally, creating abuse cases to test against the APIs will help ensure consumers don’t misuse an API via business logic flaws. API implementation and usage has grown exponentially and looks to continue for the unforeseeable future. Having the right API security strategy in place will reduce risk and enable innovation within the organization.
Timothy De Block
Application Security Practice Lead,
GuidePoint Security
Timothy De Block is the Application Security Practice Lead for the Southeast Region at GuidePoint Security. Timothy began his career by joining the Navy in 2001 as an Electronics Technician, and after leaving the Navy he worked his way up the IT ladder as a network and system administrator. In 2012, he became an Information Security Officer for the State of South Carolina, where he discovered his interest in application security and proceeded to get more involved with developers. In 2016, he moved to the private sector, joining a healthcare company based in Nashville as the Senior Software Security Engineer, where he built a strong application security program with the development team. His work got him promoted to Manager of Security Assurance and Engineering where he took on the internal penetration testing team, security engineering, and vulnerability management.
Timothy has contributed to the cybersecurity community by volunteering and speaking at various security and development conferences and local user groups, including BSides, DerbyCon, and ColaSec. He has also produced over 200 episodes of podcast content focused on cybersecurity topics.