This API Security Checklist will help you close the gaps in your API security strategy. Each item in the API Security Checklist is arguably just as critical as the next, but don’t get overwhelmed. This API Security Checklist is provided to help you navigate through the top items in area of best practices, and you may opt to emphasize sets of best practices where you already have technology investments or manpower. Here are some suggestions on how to scope the problem and prioritize activities:
You don’t need to reinvent the wheel with security requirements. The OWASP Application Security Verification Standard (ASVS) is a good source that is useful for all types of application designs. For this part of the API Security Checklist, be sure to include API integration, and streamline threat modeling of APIs.
Documentation is useful for the application and API teams that are building or integrating APIs. Adequate documentation also provides benefits to a range of activities including design reviews, security testing, operations, and protection.
API documentation, while a best practice in itself, might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on created an accurate API inventory to serve many IT needs within your organization.
Use traditional security testing tools to verify certain elements of an API implementation such as well-known misconfigurations or vulnerabilities, but realize these tools have limitations. No scanner is adept at parsing business logic, which also leaves organizations exposed to major forms of API abuse.
Securing the front-end application, or the API client, that depends on back-end APIs for functionality and data can be useful as part of a layered security approach. This API Security Checklist includes some key elements for protecting the front end, but be aware of the pitfalls of client-side approaches. such as client-side behavior analytics and machine tracking that inadvertently create privacy concerns.
All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. This logging and monitoring data is also useful for constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved.
Any good API Security Checklist must include steps to follow for API mediation. Mediation will help you achieve improved visibility, accelerated delivery, increased operational flexibility, and improved enforcement capabilities, particularly when it comes to API access control.
A primary goal of zero trust architecture is to enforce concepts of least privilege and restrict network access dynamically. However, connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions.
Data security approaches aim to provide confidentiality, integrity, and authenticity of data, but 85% of organizations lack confidence that they know which APIs expose sensitive data (see the Q3 2021 State of API Security report). Use this API Security Checklist to reduce exposures of sensitive data, which can lead to significant regulatory penalties, large-scale privacy impacts, and brand damage.
When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.
Any runtime protection you consider deploying should be dynamic and learn continuously. Use this API Security Checklist to enforce protections that identify misconfigurations in API infrastructure as well as behavior anomalies such as credential stuffing, brute forcing, or scraping attempts.
SOC analysts must often depend on application development and API project teams who best know the application architecture and logic of APIs. That details application and business logic are critical in digital forensics and incident response. You will need to emphasize the people and process aspects of SecOps more than technology, and don’t just approach the exercise as “get a feed into Splunk.”
Making your way through this entire API Security Checklist may feel overwhelming. Start by picking a few best practices areas as a starting point that are most familiar. Expand over time and adopt additional best practices to avoid leaving gaps in your API security strategy. You can get more details on how to implement these tactics in the Salt API Security Best Practices guide. You can also get an Excel worksheet that summarizes these best practices and gives you a way to track your priorities, action items, and status information.
In many cases, purpose-built API security tooling can make it easier and more automatic to address the many elements of API security. Such platforms support a range of capabilities throughout the API lifecycle and provide the necessary context to stop attacks and data exposures for your organization’s unique API business logic.
Like many other API breaches, the Optus security incident highlights the importance of dedicated API security.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.