API Security Checklist: API Security Best Practices Guide
APIs are at the core of digital innovation. They are the glue that holds today’s web applications together and, as such, they have become a prime target for bad actors looking to exploit the lucrative data they connect. So, with organizations relying on APIs more and more to deliver their critical business initiatives, how do you close the gaps in your API Security strategy?
Our API Security Checklist is built to help you navigate through the best practices you must put into place to secure your APIs, with helpful, industry experience-based suggestions on how to prioritize and address today’s API security challenges.
Why is an API Security Checklist Important and How Can You Prioritize?
A comprehensive API Security strategy needs to cover all the security measures you need to implement to protect your APIs against today’s increasingly sophisticated threats.
- Security test your APIs, but know that you will need runtime protection to catch changes that don’t go through standard build process and abuses that traditional testing tools aren’t designed to find.
- Ensure that you are covering all of your environments and your digital supply chain, which is more than just the APIs mediated by your API gateways or API management suite.
- If you do nothing else, focus on runtime protection as a way to “stop the bleeding,” slow down attackers, and buy time for your application and API teams.
Each item in your API Security Checklist is arguably just as critical as the next, but there’s no reason to get overwhelmed. The checklist is meant to make your life easier and help you lay down the foundation of a robust API security strategy. Here are a few suggestions to help you prioritize:
These are the first few things to bear in mind to detect and stop today’s sophisticated API attacks, including the most common ones listed in the OWASP API Security Top 10.
What Are the Key Security Measures to Take with APIs?
1. Designing and developing secure APIs
You don’t need to reinvent the wheel when it comes to your API development security requirements. The OWASP Application Security Verification Standard (ASVS) is a good starting point and it is useful for all types of application designs. For this section of the API Security Checklist, be sure to include API integration, and streamline threat modeling of APIs. Here are the three key steps that will enable your teams to design and develop more secure APIs:
- Draft security requirements for building and integrating APIs.
- Include business logic in design reviews.
- Draft secure coding and configuration practices relevant to your technology stacks.
2. Keeping your API documentation accurate and up to date
Up-to-date documentation is essential for the application and API teams that are building or integrating APIs. Adequate documentation also provides benefits to a range of activities including design reviews, security testing, operations, and attack prevention. Here are three key steps to keep your documentation accurate and up to date:
- Use machine formats like OpenAPI Specification (OAS).
- Repurpose API schema as a basic testing approach and protection approach.
- Have a contingency plan for documentation discrepancies and API drift.
3. Focusing on API discovery and cataloguing
While API documentation is a best practice in itself, it’s important to be aware that it might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on creating an accurate API inventory to serve many IT needs within your organization — with API security at the forefront. Here’s how to get started:
- Discover APIs in lower environments and not just production.
- Include API dependencies, or third-party APIs.
- Tag and label APIs and microservices as a DevOps best practice.
4. Understanding API security testing: how to perform it and what are its limitations?
You should definitely use traditional security testing tools to verify certain elements of an API implementation, such as well-known misconfigurations or vulnerabilities, but it’s important to be aware that these tools have limitations. No security scanner is adept at parsing business logic gaps, which leaves organizations exposed to major forms of API abuse. To have comprehensive API security and penetration testing in place, these are the main steps you should follow:
- Statically analyze API code automatically as part of version control and CI/CD.
- Check for known vulnerable dependencies in your API code.
- Dynamically analyze and fuzz deployed APIs to identify exploitable code in runtime.
5. Securing the front-end application
Securing the front-end application, or the API client, that depends on back-end APIs for functionality and data can be useful as part of a layered security approach. Our API Security Checklist includes some key elements for protecting the front end, but be aware of the pitfalls of client-side approaches — such as client-side behavior analytics and machine tracking that inadvertently create privacy concerns. The high-profile API security breach at Peloton is one good example of where front end security shortcomings can result in costly and brand damaging security issues. Here are three key steps to better front end security:
- Draft security requirements for front-end code including JavaScript, Android, and iOS.
- Store minimal or no data client-side since it is prone to attack and reverse engineering.
- Explore client-side code protections if you’ve secured back-end APIs.
6. The importance of logging and monitoring
All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. This logging and monitoring data is also useful for constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved. These are the key steps to take to build effective logging and monitoring:
- Define all the infrastructure, application, and API elements that must be logged.
- Factor in non-security use cases such as API performance and uptime measures.
- Allocate enough storage for API telemetry, which will lead you to the cloud.
Get the comprehensive list of best practices to guide your API security journey.
Download Now7. API mediation and architecture
Any good API Security Checklist must include steps to follow for API mediation. Mediation will help you achieve improved visibility, accelerated delivery, increased operational flexibility, and improved enforcement capabilities, particularly when it comes to API access control. Here’s what you need to do to achieve good API mediation:
- Mediate APIs to improve observability and monitoring capabilities.
- Use mediation mechanisms like API gateways to enforce access control.
- Augment your mediation mechanisms with API security tooling that can provide deeper context.
8. Don’t overlook network security
A primary goal of zero trust architecture is to enforce concepts of least privilege and restrict network access dynamically. However, connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions. Here are some important steps to take to incorporate network security in your API security strategy:
- Enable encrypted transport to protect the data your APIs transmit.
- Use IP address allow and deny lists if you have small numbers of API consumers.
- Look to dynamic rate limiting and rely on static rate limiting as a last resort.
9. Keeping your data secure
Data security approaches aim to provide confidentiality, integrity, and authenticity of data, but 82% of organizations lack confidence that they know which APIs expose sensitive data (see the Q1 2023 State of API Security report). Use these three key steps detailed on our API Security Checklist to reduce exposures of sensitive data, which can lead to significant regulatory penalties, large-scale privacy impacts, and brand damage:
- Use encryption selectively, knowing that transport protection suffices for most use cases.
- Avoid sending too much data to clients and relying on the client to filter data
- Adjust for threats like scraping or data inference where encryption is not a mitigation.
10. Strengthening authentication and authorization
When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. The potential for exploitation of authentication and authorization vulnerabilities is well known to bad actors, who have been banking on it for years — the Optus API attack, the Booking.com breach and the Experian API security incident are three of the most prominent examples.
Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management. Follow these three steps to strengthen your authentication and authorization controls:
- Continuously authenticate and authorize API consumers.
- Avoid the use of API keys as a means of authentication.
- Use modern authorization protocols such as OAuth2 with security extensions.
11. Implementing continuous runtime protection
Any API runtime protection you consider deploying should be dynamic and learn continuously. Use our API Security Checklist to enforce protections that identify misconfigurations in API infrastructure as well as behavior anomalies such as credential stuffing, brute forcing, or scraping attempts.
- Enable threat protection features of your API gateways and APIM if available.
- Ensure that DoS and DDoS mitigation is part of your API protection approach.
- Go beyond traditional runtime controls that are dependent on rules, and make use of AI/ML and behavior analysis engines to detect API attacks.
12. Security operations: focusing on people and processes
SOC analysts must often depend on application development and API project teams who best know the application architecture and logic of APIs. That details application and business logic are critical in digital forensics and incident response. You will need to emphasize the people and process aspects of SecOps more than technology, and don’t just approach the exercise as “get a feed into Splunk.” Here are the three steps that can get you started:
- Account for the non-security and security personas involved in the complete API stack.
- Create API-centric incident response playbooks.
- Spare your SOC from burnout by surfacing actionable API events and not dumping data.
API Security Checklist: Are My APIs Secure?
Making your way through the API Security Checklist may feel like a huge task, but remember that building a robust API security strategy is a multi-step journey that you just need to start somewhere. Start by picking a few key API security steps as a starting point, expand over time and adopt additional best practices to avoid leaving gaps in your API security. You can get more details on how to implement these tactics in the Salt API Security Best Practices guide and, if you want to go even deeper, our REST API Security Best Practices guide.
Purpose-built API security and API penetration testing tooling can make it easier and more automatic to address the many elements of API security. Dedicated API security solutions such as the Salt Security API Protection Platform support a range of capabilities throughout the entire API lifecycle and provide the necessary context to stop attacks and data exposures for your organization’s unique API business logic.
To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.