Application program interfaces (APIs) facilitate critical technology services for today’s businesses across all verticals. APIs are a primary method for accessing data through digital channels such as web and mobile applications, cloud and the Internet of Things (IoT), ensuring that organizations can more effectively access and share information with clients and partners.
As APIs are now part of industry standard enterprise architectures, security risks have become a major concern. Cyber threats and attacks are increasingly targeting enterprise applications, given their accessibility through cloud, mobile and in on-premise environments. The API can be a major point of vulnerability, given its ability to offer programmatic access to external developers. Ultimately, depending on how an API has been written, it could seriously expose data to exploits in back-end networks and applications, and further expand the surface area of attack.
APIs could be exposed to a number of threats and vulnerabilities allowing attackers to target the underlying system, application server or even the API itself. Systems must be evaluated for the patching and configuration vulnerabilities to remediate risk associated with patching, end of life software or configuration issues. The application server that hosts the API could be subject to session hijacking or security misconfiguration vulnerabilities. The hosted API itself could be host to injection attacks, access control issues or sensitive data exposure. It’s important to understand all layers of potential risk associated with an API and it’s related components.
There are fundamental protection methods that should be in place to mitigate the risk to critical APIs in your environment. The earlier security processes are baked into API deployment, the better. At the planning stage, architects and developers should consider the dependencies, authentication, authorization issues, and data integrity challenges that will impact the API once it is developed and placed into production. For example, controlling the access to APIs is critical to mitigating the risks of identity and session threats. It is essential to separate the identity of the user and the app that is accessing the API. API providers should be able to identify an app uniquely and control the operations that the app itself can perform. These measures should be part of standard practices and security policies that govern secure application and API development.
In development, the policies established for securing the APIs should be exercised.
Before deployment into production, APIs should undergo penetration testing to identify any vulnerabilities that could be exploited to compromise business sensitive information.
In production, APIs should be monitored for threats and performance issues that may indicate a potential security incident. Quality of Service should be established to mitigate against flooding and DoS attacks. Ongoing dynamic application security testing (DAST) and periodic penetration testing should be part of the API protection strategy.
APIs are too critical for businesses to ignore the implications of not having security as part of their API strategy. Establish an API security strategy, execute, and monitor continuously.