GUEST ESSAY: Five stages to attain API security — and mitigate attack surface exposures

By Rakshith Rao

APIs (Application Programming Interfaces) play a critical role in digital transformation by enabling communication and data exchange between different systems and applications.

APIs help digital transformation by enabling faster and more efficient business processes, improving customer experience, and providing new ways to interact with your business.

Whether an API is exposed for customers, partners, or internal use, it is responsible for transferring data that often holds personally identifiable information (PII) or reveals application logic and valuable company data.

Therefore, the security of APIs is crucial to ensure the confidentiality, integrity, and availability of sensitive information and to protect against potential threats such as data breaches, unauthorized access, and malicious attacks.

API security is essential for maintaining the trust of customers, partners, and stakeholders and ensuring the smooth functioning of digital systems. If API security is not properly implemented, it can result in significant financial losses, reputational damage, and legal consequences.

So, how can you ensure your API security is effective and enable your digital transformation?

Attack vector awareness

Hackers want to intercept and exploit API vulnerabilities to gain access to API endpoints and data. Over the last few years, we have observed that APIs are the favorite attack vector for hackers.

The losses to US companies due to API data breaches are estimated between $12 billion – $23 billion in 2022 alone, in an article in DarkReading. A study by the Marsh McLennan Cyber Risk Analytics Center and Imperva analyzed 117,000 unique cybersecurity incidents and estimated that API security issues result in US$ 41 to 75 billion of losses annually.

Why traditional approaches to securing APIs are not sufficient


As the adoption of APIs grows, the demand for security solutions increases. But, we have seen that the traditional approaches to securing APIs, such as basic authentication and IP whitelisting, are no longer sufficient in today’s rapidly evolving digital landscape.

Organizations must adopt a modern, comprehensive approach to API security that includes a combination of technical controls, policies, and processes to secure APIs effectively in today’s dynamic digital landscape.

To address this demand, a number of vendors have entered the market to provide solutions to help businesses secure their APIs. However, many of these vendors are providing solutions for managing APIs, not for securing these APIs. For example, security monitoring tools are not able to track API usage and activity. Due to this, these tools aren’t able to provide any actionable insights based on the data they collect.

API observability

Businesses can secure APIs with the “Shift-left and Automate-Right” approach across the entire API lifecycle.

Securing APIs across their entire lifecycle involves multiple stages, including design, development, testing, deployment, configuration, and maintenance. Each stage requires different security measures to ensure the confidentiality, integrity, and availability of sensitive information.

There are several models for API security that organizations can adopt to secure their APIs like a five stage approach described below;

•Discover: Make sure you have a complete view at all times. Manual tracking is hard so Automate API asset tracking to gain total visibility; proactively track and notify any changes in APIs so there is no guesswork. Also unveil the hidden topology behind API and application traffic with reconstruction.

•Observe: Start analyzing and controlling what should really exist. Detect and alert for Zombie & shadow APIs within the ecosystem. Things can break anytime so having 360 degree API observability for SRE is important. Start with basics to secure against OWSAP Top10 and key them updated.

•Model: Define organization-wide best practices with the flexibility to extend by the domain teams. Define data constraints to protect against attacks. Detect and prevent suspicious activity before it causes damage. Measure and protect your API with rate limiting, authZ and authN, data validation, versioning, and error handling.

•Act: Enforce best practices seamlessly without becoming a bottleneck to Increase API accuracy & resilience. Set up API Audits to track API calls, API responses, API errors, and API data accuracy. Monitor API for detailed API reports on API health, API usage, and API Performance. Automate API testing to track API behavior.

Insights: Derive insights holistically and not just at each API level. Maintain high standards with automated maturity scorecards. Make service ownership a reality. Set standards, give guidance, and measure adoption. Build a Culture of Continuous improvement.

By implementing security measures at each stage of the API lifecycle, organizations can ensure that their APIs are secure, and that sensitive information is protected against potential threats.

Together, these elements form the foundation for a practical approach to securing APIs. Continually reviewing your API security is a best practice for good governance.

About the essayist:  Rakshith Rao is the co-founder and CEO of API lifecycle management tool APIwiz. Rak brings 17 years of experience in enterprise technical sales leadership, including at Apigee and Google, DataStax, and HP.

March 8th, 2023


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: