In the rush to realize the benefits of API-led integration, API security is frequently overlooked or shoved to the side. While organizations have the best intentions to revisit the security of their API applications, setting this important aspect of development aside for later can lead to serious consequences, especially for public APIs.
API security doesn’t need to be overly complicated, but it can seem overwhelming to many given the advanced threats that occur in the industry. By following a few best practices, API security will change from a daunting task, to one that most organizations can accomplish.
Plan for API Ownership
Many times, we see companies implementing APIs, but skipping the important step of assigning an owner. Because we’re talking about security, an API owner goes beyond who does maintenance on the application.
An owner is responsible for ensuring API security is considered and managed. Because an owner must take charge when there is a security incident that involves the API, it’s in their best interest to make sure securing the application is part of its development.
When planning or designing your API, you need to ask:
- Who or what group owns the API(s)?
- Who is responsible for maintaining it or them, including updating documentation?
- Who reacts to an API security incident?
Ownership of an API is at a higher level than accountability or responsibility. An owner might even be a CTO. If it’s a group, then it’s typically the group leader or architect that is at the tip of the spear when there is an incident.
Benefits of Defining an Owner
One of the benefits of identifying an API owner is it’s clear who should be directing action during an incident, and who is ultimately in charge of ensuring security is considered and implemented.
Without ownership, an incident can result in a lot of different people and groups pointing fingers in many different directions. With ownership, it’s more likely that an API will be protected to the fullest from the start.
Include API Security in Your Planning or Design Phases (Don’t Skip Out on API Security)
API security can fall victim to the desire to implement a solution quickly. At other times, API security ends up an afterthought. In both cases, you can get seriously burned by leaving your APIs unprotected.
The surest way to prevent security from being sidelined is to bake it into the API’s design and planning process. It can take some time to include security, but this is time well spent. Plus, including it in the design means you can choose the type of API security most appropriate to your application right from the start.
Depending on your environment and the purpose and availability of the application, you may choose to implement only OAuth 2.0 and IP whitelisting. You may discover, however, that your API needs greater protection and choose to include WAF, OAuth 2.0, IP whitelisting, and even PingIntelligence for a public facing, high risk API. By including security thinking early, you’ll have the ability to bake the right security model into the development process instead of retrofitting it later.
The Benefits of Planning and Designing API Security from the Start
By raising the issue of API security from the beginning, it will raise stakeholder awareness of the need and keep it on their radar. Project milestones can be set with the development of the security components included. Stories and epics can be created alongside the other app features. Plus, the entire team will be bought into the inclusion of security as part of the API’s creation.
Build in API Monitoring
As much as possible, your security model should allow you to be proactive in protecting your API, not reactive. Building monitoring and alerting into the app promotes that proactive stance.
During the design phase, you should ask:
- What kind of metrics do we want to see?
- Do we have the visibility needed for our use cases?
- Do we have the ability to detect a breach?
As you consider your metrics, start with the ones that will give you the alerts needed to address issues quickly. As a baseline, your metrics should include:
- Request size
- Response size
- Geographic location
Alerting on these metrics will keep you aware of performance and outliers without requiring someone to look at a screen all day. These metrics can also help in identifying problems when the API is performing poorly, which can be like trying to find a needle in a haystack.
But these metrics and their alerts may not be enough. They might inform you when certain attacks are underway, but may not catch more sophisticated breach attempts.
If it’s important that you are able to detect a more advanced attack, you may need a more refined approach like machine learning or an AI engine. A product like PingIntelligence can also help to find API security-related attacks by learning the behavior of your API.
The Benefits of Alerting and Monitoring
Understanding normal performance and metric numbers will help you improve your API user experience. It also creates a viewport to detect breaches where you may not have had one before. Setting metric limits allow for alerting, and can even kick off automated actions.
Metrics and alerting also frees up time for your team. With well-defined metrics and the right tools, no one needs to spend time actively monitoring your APIs every day — the system can monitor itself and let you know when a problem or anomaly occurs.
Protect Your API with SOMETHING (Something is Better Than Nothing!)
This may not seem like a best practice, but when the alternative is to leave your APIs unprotected, something is better than nothing. That’s because bots can and do scan the web for open APIs, and they will find yours if it’s left unsecured. Even the most basic security actions will prevent more automated and brute force type attacks.
At a minimum you should put API gateway security on your app, whether it’s:
- IP whitelisting
- Basic authentication
- OAuth 2.0
Again, depending on your environment, whether your app is public or private, and your API’s purpose, you may choose to go all the way, including OAuth 2.0, IP whitelisting, PingIntelligence, and WAF. Do as much as is warranted by the API, its intended use, and its risk association.
The Benefits of Doing SOMETHING
By doing even the minimum, you’ll protect your APIs from common attacks, including bots probing the internet for low hanging fruit. With an even more secure API posture, you’ll eliminate many sophisticated and known attacks.
Maximize Your API Security with the Layered Approach
Do you want to sleep well at night? Then, using a layered API security approach is your best bet. As discussed over on PingIntelligence’s blog, this is the ideal way to protect your APIs.
The layers of API security include:
- API gateway security: great for rate limiting and access control
- Web Application Firewall (WAF): Great for OWASP top 10 protection
- Machine Language/Artificial Intelligence (ML/AI) Engine: Engines like PingIntelligence monitor the behavior of your APIs.Protects against advanced, authenticated attacks that can fly under the radar
This simplified illustration gives you an idea of what layered API security looks like, conceptually:
The Benefits of Layered API Security
Using a layered approach gives you the best protection with the most flexibility to address attacks. Using an ML/AI engine is like fighting fire with fire — hackers are using automated, AI-driven attacks, so your protection should, too. API security practitioners must use API gateway security to protect against standard attacks, WAF’s to protect against OWASP top 10 attacks, and ML/AI engines to protect again advanced attacks using sophisticated methods.
Using ML/AI has additional benefits, as well. For instance, you’ll gain deep visibility into your API’s usage, operation, and performance. An ML/AI model will learn the normal operation of your API and alert you if anything deviates from those norms. That data can also be mined for actionable insights on how to improve your application.
ML/AI models also offer a greater level of automated threat protection. There is no need to update security protocols or algorithms when using artificial intelligence and machine learning.
API security should be an integrated part of your API planning, design, and development process. If left as an afterthought, you’re rolling the dice on not if, but when, your API will be found and exploited. The benefits of securing your API are substantial, and far outweigh the cost of developing with API security in mind. If you follow these best practices, your organization will be in a far better position for protecting its APIs.