APIs are at the core of digital innovation. They are the glue that holds today’s web applications together and, as such, they have become a prime target for bad actors looking to exploit the lucrative data they connect. So, with organizations relying on APIs more and more to deliver their critical business initiatives, how do you close the gaps in your API Security strategy?
Our API Security Checklist is built to help you navigate through the best practices you must put into place to secure your APIs, with helpful, industry experience-based suggestions on how to prioritize and address today’s API security challenges.
A comprehensive API Security strategy needs to cover all the security measures you need to implement to protect your APIs against today’s increasingly sophisticated threats.
Each item in your API Security Checklist is arguably just as critical as the next, but there’s no reason to get overwhelmed. The checklist is meant to make your life easier and help you lay down the foundation of a robust API security strategy. Here are a few suggestions to help you prioritize:
These are the first few things to bear in mind to detect and stop today’s sophisticated API attacks, including the most common ones listed in the OWASP API Security Top 10.
You don’t need to reinvent the wheel when it comes to your API development security requirements. The OWASP Application Security Verification Standard (ASVS) is a good starting point and it is useful for all types of application designs. For this section of the API Security Checklist, be sure to include API integration, and streamline threat modeling of APIs. Here are the three key steps that will enable your teams to design and develop more secure APIs:
Up-to-date documentation is essential for the application and API teams that are building or integrating APIs. Adequate documentation also provides benefits to a range of activities including design reviews, security testing, operations, and attack prevention. Here are three key steps to keep your documentation accurate and up to date:
While API documentation is a best practice in itself, it’s important to be aware that it might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on creating an accurate API inventory to serve many IT needs within your organization — with API security at the forefront. Here’s how to get started:
You should definitely use traditional security testing tools to verify certain elements of an API implementation, such as well-known misconfigurations or vulnerabilities, but it’s important to be aware that these tools have limitations. No security scanner is adept at parsing business logic gaps, which leaves organizations exposed to major forms of API abuse. To have comprehensive API security testing in place, these are the main steps you should follow:
Securing the front-end application, or the API client, that depends on back-end APIs for functionality and data can be useful as part of a layered security approach. Our API Security Checklist includes some key elements for protecting the front end, but be aware of the pitfalls of client-side approaches - such as client-side behavior analytics and machine tracking that inadvertently create privacy concerns. The high-profile API security breach at Peloton is one good example of where front end security shortcomings can result in costly and brand damaging security issues. Here are three key steps to better front end security:
All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. This logging and monitoring data is also useful for constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved. These are the key steps to take to build effective logging and monitoring:
Any good API Security Checklist must include steps to follow for API mediation. Mediation will help you achieve improved visibility, accelerated delivery, increased operational flexibility, and improved enforcement capabilities, particularly when it comes to API access control. Here’s what you need to do to achieve good API mediation:
A primary goal of zero trust architecture is to enforce concepts of least privilege and restrict network access dynamically. However, connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions. Here are some important steps to take to incorporate network security in your API security strategy:
Data security approaches aim to provide confidentiality, integrity, and authenticity of data, but 82% of organizations lack confidence that they know which APIs expose sensitive data (see the Q1 2023 State of API Security report). Use these three key steps detailed on our API Security Checklist to reduce exposures of sensitive data, which can lead to significant regulatory penalties, large-scale privacy impacts, and brand damage:
When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. The potential for exploitation of authentication and authorization vulnerabilities is well known to bad actors, who have been banking on it for years — the Optus API attack, the Booking.com breach and the Experian API security incident are three of the most prominent examples.
Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management. Follow these three steps to strengthen your authentication and authorization controls:
Any API runtime protection you consider deploying should be dynamic and learn continuously. Use our API Security Checklist to enforce protections that identify misconfigurations in API infrastructure as well as behavior anomalies such as credential stuffing, brute forcing, or scraping attempts.
SOC analysts must often depend on application development and API project teams who best know the application architecture and logic of APIs. That details application and business logic are critical in digital forensics and incident response. You will need to emphasize the people and process aspects of SecOps more than technology, and don’t just approach the exercise as “get a feed into Splunk.” Here are the three steps that can get you started:
Making your way through the API Security Checklist may feel like a huge task, but remember that building a robust API security strategy is a multi-step journey that you just need to start somewhere. Start by picking a few key API security steps as a starting point, expand over time and adopt additional best practices to avoid leaving gaps in your API security. You can get more details on how to implement these tactics in the Salt API Security Best Practices guide and, if you want to go even deeper, our REST API Security Best Practices guide.
Purpose-built API security tooling can make it easier and more automatic to address the many elements of API security. Dedicated API security solutions such as the Salt Security API Protection Platform support a range of capabilities throughout the entire API lifecycle and provide the necessary context to stop attacks and data exposures for your organization’s unique API business logic.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.