Blog Series 1 out of 2.
APIs have become a vital cog of business and are something that is driving the digital economy. No matter what your business is and the kind of applications you are building, an Application Programming Interface (API) will be most likely employed in your application in one way or form. APIs enable the client-side of the application to interact with the server-side and in the case of machine-to-machine communication, enables two applications to interact with each other. With a microservices architecture, the criticality of APIs has exploded.
APIs are generally publicly available, well documented, and are something that can be easily reverse engineered. This also means APIs are becoming the primary attack surface targeted by hackers.
In its How to Build an Effective API Security Strategy report, Gartner predicts that
“By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
All this means that API Protection is a very important aspect of any business, and it warrants special attention. When it comes to API security, there are multiple layers that need to be considered:
One of the primary reasons why API protection does not get enough attention in an organisation is the lack of understanding of the different layers involved in API protection. Let’s dig a bit deeper into these layers.
APIs can only be protected if one knows about them. One of the biggest challenges of API security is API visibility. Due to following reasons organisations have challenges regarding API visibility:
Authentication of the right users and authorization of the scope is a key part of API Protection and is something that is taken care of by clients using API tokens and OAuth mechanisms. It is important to ensure the right users have access to the API and their scope is well-governed.
Another important aspect of API protection is controlling the access to these APIs for every user. Else, API servers could easily be overloaded. This could happen either because of malicious hackers trying to bring down the server or it could be an unintentional overload caused by legitimate clients. These are generally legitimated API calls but done at high volumes, it can clog the resources of the API server making it unavailable for other users. To overcome this, it is necessary to provide rate limits for the APIs on restricting how often each user can call the APIs.
Continuous testing of APIs for vulnerabilities is of paramount importance. APIs can be vulnerable similar to web applications. OWASP, the open-source foundation dedicated to enhancing web application security, recently released the OWASP top 10 list for APIs, specifying the top threats to APIs. Some of them are already covered like Authentication and Authorization but just like web applications, APIs are also vulnerable to common attack vectors like injection attacks. Apart from these, APIs are also prone to business logic vulnerabilities due to bad code/design. It is important that APIs are continuously tested to identify the risk posture of the application.
API threat detection is an extension of web application threat detection tools like WAF (Web Application Firewall). They will monitor the API requests for various attacks like SQL injection and other injection attacks. In the case of APIs, given how they are well documented, protection can be extended well beyond the normal signature-based detection to more sophisticated positive security methods by enforcing strict schema validation and input sanitization.
Another major aspect of API security is logging and monitoring. Monitoring the access of the APIs – who is doing it, how they are doing it, understanding their behaviour, and deriving patterns are important. So, when an anomalous action happens, it is immediately triggered for further action including an immediate block or offline investigation. This can act as both as an early warning system and an effective preventive mechanism against attacks.
One of the common questions that is raised when it comes to API Protection is that –
“I have API gateway, isn’t that enough? Doesn’t it solve the API security needs?”
These questions stem from the lack of understanding of various layers of API security mentioned in the previous section.
Yes, API Gateway plays a key part in API protection, but it does not cover all aspects that are required when it comes to API Protection. An API Gateway is best for the management of APIs. From a security standpoint, they do take care of access controls and rate limits. Some APIs may also take care of schema validation. But that’s everything an API Gateway can cover.
The following table will give a clarity on what aspects API gateway cover:
API Security | Functions | API Gateway |
API Scanning | No | |
Unlimited Automated Scans for APIs | No | |
Protection for OWASP Top 10 API Vulnerabilities | No | |
API Specific Bot Protection | No | |
Parsing of OSI Specification and Generation of Positive Security Policies | No | |
Discovery of Shadow APIs | No | |
API Specific DDoS Protection | Yes | |
Authorization and Authentication | Yes | |
API Management | ||
API Creation and Deployment | Yes | |
API Operation & Monitoring | Yes | |
SDK Generation & Lifecycle Management | Yes | |
Resilience – Thresholds for APIs | Yes |
So, then what should one do to get comprehensive API protection?
Learn more about it in our next blog in this series and start a free trial to understand API protection better
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on December 18, 2023 11:57
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More