Best Practices and Benefits of API Security

Plan for API Ownership

Many times, we see companies implementing APIs, but skipping the important step of assigning an owner. Because we’re talking about security, an API owner goes beyond who does maintenance on the application.

Benefits of Defining an Owner

One of the benefits of identifying an API owner is it’s clear who should be directing action during an incident, and who is ultimately in charge of ensuring security is considered and implemented.

Include API Security in Your Planning or Design Phases (Don’t Skip Out on API Security)

API security can fall victim to the desire to implement a solution quickly. At other times, API security ends up an afterthought. In both cases, you can get seriously burned by leaving your APIs unprotected.

Build in API Monitoring

As much as possible, your security model should allow you to be proactive in protecting your API, not reactive. Building monitoring and alerting into the app promotes that proactive stance.

The Benefits of Alerting and Monitoring

Understanding normal performance and metric numbers will help you improve your API user experience. It also creates a viewport to detect breaches where you may not have had one before. Setting metric limits allow for alerting, and can even kick off automated actions.

Protect Your API with SOMETHING (Something is Better Than Nothing!)

This may not seem like a best practice, but when the alternative is to leave your APIs unprotected, something is better than nothing. That’s because bots can and do scan the web for open APIs, and they will find yours if it’s left unsecured. Even the most basic security actions will prevent more automated and brute force type attacks.

The Benefits of Doing SOMETHING

By doing even the minimum, you’ll protect your APIs from common attacks, including bots probing the internet for low hanging fruit. With an even more secure API posture, you’ll eliminate many sophisticated and known attacks.

Maximize Your API Security with the Layered Approach

Do you want to sleep well at night? Then, using a layered API security approach is your best bet. As discussed over on PingIntelligence’s blog, this is the ideal way to protect your APIs.

The Benefits of Layered API Security

Using a layered approach gives you the best protection with the most flexibility to address attacks. Using an ML/AI engine is like fighting fire with fire — hackers are using automated, AI-driven attacks, so your protection should, too. API security practitioners must use API gateway security to protect against standard attacks, WAF’s to protect against OWASP top 10 attacks, and ML/AI engines to protect again advanced attacks using sophisticated methods.

Conclusion

API security should be an integrated part of your API planning, design, and development process. If left as an afterthought, you’re rolling the dice on not if, but when, your API will be found and exploited. The benefits of securing your API are substantial, and far outweigh the cost of developing with API security in mind. If you follow these best practices, your organization will be in a far better position for protecting its APIs.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aaron Lieberman

Aaron Lieberman

19 Followers

Aaron’s passion for technology drives him to find innovative ways to help advance organizations through technology.