API Security Best Practices

Read the guide

API Security Checklist

Michael Isbitski
Sep 20, 2021

This API Security Checklist will help you close the gaps in your API security strategy. Each item in the API Security Checklist is arguably just as critical as the next, but don’t get overwhelmed. This API Security Checklist is provided to help you navigate through the top items in area of best practices, and you may opt to emphasize sets of best practices where you already have technology investments or manpower. Here are some suggestions on how to scope the problem and prioritize activities:

  • Security test your APIs, but know that you will also need runtime protection to catch changes that don’t go through standard build process and abuses that testing tools aren’t designed to find.
  • Ensure that you are covering all of your environments and your digital supply chain, which is more than just the APIs mediated by your API gateways or API management suite.
  • If you do nothing else, focus on runtime protection as a way to “stop the bleeding,” slow down attackers, and buy time for application and API teams.

A: API secure design and development

You don’t need to reinvent the wheel with security requirements. The OWASP Application Security Verification Standard (ASVS) is a good source that is useful for all types of application designs. For this part of the API Security Checklist, be sure to include API integration, and streamline threat modeling of APIs.

  • A1 – Draft security requirements for building and integrating APIs
  • A2 – Include business logic in design reviews
  • A3 – Draft secure coding and configuration practices relevant to your technology stacks

B: API documentation

Documentation is useful for the application and API teams that are building or integrating APIs. Adequate documentation also provides benefits to a range of activities including design reviews, security testing, operations, and protection.

  • B1 – Use machine formats like OpenAPI Specification (OAS)
  • B2 – Repurpose API schema as a basic testing approach and protection approach
  • B3 – Have a contingency plan for documentation discrepancies and API drift

C: API discovery and cataloging

API documentation, while a best practice in itself, might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on created an accurate API inventory to serve many IT needs within your organization.

  • C1 – Discover APIs in lower environments and not just production
  • C2 – Include API dependencies, or third-party APIs
  • C3 – Tag and label APIs and microservices as a DevOps best practice

D: API security testing

Use traditional security testing tools to verify certain elements of an API implementation such as well-known misconfigurations or vulnerabilities, but realize these tools have limitations. No scanner is adept at parsing business logic, which also leaves organizations exposed to major forms of API abuse.

  • D1 – Statically analyze API code automatically as part of version control and CI/CD
  • D2 – Check for known vulnerable dependencies in your API code
  • D3 – Dynamically analyze and fuzz deployed APIs to identify exploitable code in runtime

E: Front end security

Securing the front-end application, or the API client, that depends on back-end APIs for functionality and data can be useful as part of a layered security approach. This API Security Checklist includes some key elements for protecting the front end, but be aware of the pitfalls of client-side approaches. such as client-side behavior analytics and machine tracking that inadvertently create privacy concerns.

  • E1 – Draft security requirements for front-end code including JavaScript, Android, and iOS
  • E2 – Store minimal or no data client-side since it is prone to attack and reverse engineering
  • E3 – Explore client-side code protections if you’ve secured back-end APIs

F: Logging and monitoring

All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. This logging and monitoring data is also useful for constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved.

  • F1 – Define all the infrastructure, application, and API elements that must be logged
  • F2 – Factor in non-security use cases such as API performance and uptime measures
  • F3 – Allocate enough storage for API telemetry, which will lead you to cloud

Get the comprehensive list of best practices to guide your API security journey.

G: API mediation and architecture

Any good API Security Checklist must include steps to follow for API mediation. Mediation will help you achieve improved visibility, accelerated delivery, increased operational flexibility, and improved enforcement capabilities, particularly when it comes to API access control.

  • G1 – Mediate APIs to improve observability and monitoring capabilities
  • G2 – Use mediation mechanisms like API gateways to enforce access control
  • G3 – Augment your mediation mechanisms with API security tooling that can provide deeper context

H: Network security

A primary goal of zero trust architecture is to enforce concepts of least privilege and restrict network access dynamically. However, connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions.

  • H1 – Enable encrypted transport to protect the data your APIs transmit
  • H2 – Use IP address allow and deny lists if you have small numbers of API consumers
  • H3 – Look to dynamic rate limiting and rely on static rate limiting as a last resort

I: Data security

Data security approaches aim to provide confidentiality, integrity, and authenticity of data, but 85% of organizations lack confidence that they know which APIs expose sensitive data (see the Q3 2021 State of API Security report). Use this API Security Checklist to reduce exposures of sensitive data, which can lead to significant regulatory penalties, large-scale privacy impacts, and brand damage.

  • I1 – Use encryption selectively, knowing that transport protection suffices for most use cases
  • I2 – Avoid sending too much data to clients and relying on the client to filter data
  • I3 – Adjust for threats like scraping or data inference where encryption is not a mitigation

J: Authentication and authorization

When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.

  • J1 – Continuously authenticate and authorize API consumers
  • J2 – Avoid the use of API keys as a means of authentication
  • J3 – Use modern authorization protocols such as OAuth2 with security extensions

K: Runtime protection

Any runtime protection you consider deploying should be dynamic and learn continuously. Use this API Security Checklist to enforce protections that identify misconfigurations in API infrastructure as well as behavior anomalies such as credential stuffing, brute forcing, or scraping attempts.

  • K1 – Enable threat protection features of your API gateways and APIM if available
  • K2 – Ensure that DoS and DDoS mitigation is part of your API protection approach
  • K3 – Go beyond traditional runtime controls that are dependent on rules, and make use of AI/ML and behavior analysis engines to detect API attacks

L: Security operations

SOC analysts must often depend on application development and API project teams who best know the application architecture and logic of APIs. That details application and business logic are critical in digital forensics and incident response. You will need to emphasize the people and process aspects of SecOps more than technology, and don’t just approach the exercise as “get a feed into Splunk.”

  • L1 – Account for the non-security and security personas involved in the complete API stack
  • L2 – Create API-centric incident response playbooks
  • L3 – Spare your SOC from burnout by surfacing actionable API events and not dumping data

API Security Checklist Summary

Making your way through this entire API Security Checklist may feel overwhelming. Start by picking a few best practices areas as a starting point that are most familiar. Expand over time and adopt additional best practices to avoid leaving gaps in your API security strategy. You can get more details on how to implement these tactics in the Salt API Security Best Practices guide. You can also get an Excel worksheet that summarizes these best practices and gives you a way to track your priorities, action items, and status information.

In many cases, purpose-built API security tooling can make it easier and more automatic to address the many elements of API security. Such platforms support a range of capabilities throughout the API lifecycle and provide the necessary context to stop attacks and data exposures for your organization’s unique API business logic.

Go back to blog