Today’s data-driven, tech-dominated world of deeply complex, intimately detailed systems has required new infrastructural modalities to manage.
One of the most ubiquitous are Application Programming Interfaces, or APIs, a way for differing software systems to share data (including Personal Identifiable Information, or PII) and thereby complete, inform, analyze and report on very complex sets of functions.
API security best practices: an introduction to understanding modern API security
As API systems evolve, so too do the cybersecurity protocols and tools to protect them. Anyone in cybersecurity can tell you that it’s an arms race—that ‘bad actors’ develop their own tools at a blistering rate, and that no matter how good the tools are, human error remains the number one threat vector.
Furthermore, while AI may have burst onto the scene of public discourse only within the last year or so, it has played a major—and growing—role in cybersecurity for years, ushering in a new generation where (e.g.) threat actors can one day utilize an AI robust enough to code and orchestrate a cyberattack campaign largely autonomously. In response, AI trained for defense will become increasingly necessary—hence the arms race.
Yet, no matter how complex these tools become and no matter how labyrinthine the cybersecurity landscape appears, the most secure organizations will remain focused on the best API Security practices to keep themselves, their employees, and their clients safe.
A passive, ‘the solution alone will do it for me’ approach where your cybersecurity team or partners don’t have a ‘seat at the table’ wasn’t enough yesterday, isn’t enough today, and won’t be enough tomorrow.
That’s why erudite API security implementations that stem from experience, a strong grasp of the fundamentals, and smart partnerships remain such a critical cornerstone in building a safe organization.
API security best practices: Key concepts and functions in API security
How APIs and API standards work securely depends on several key concepts; because cybersecurity is a deeply complex data science, there is no reasonable way to do justice to each of those concepts herein, as even a comprehensive summary would be the subject of a full textbook.
However, we will examine a few of the most basic concepts to make our latter survey of standardization types and best practices more comprehensible.
Types of APIs
There are several types of APIs (and many other entirely distinct, differing typologies), from private to public to third-party. Furthermore, there are many general development and implementation approaches to APIs, including API-First, API-as-a-Product, Design-First, and OpenAPI.
At the most basic level, APIs make data requests of other sources of data (e.g., other APIs). A request, in this context, is any ask to share that information, such as with a website via HyperText Transfer Protocols, or HTTP—an acronym any web user should recognize as it begins most web addresses.
In a cybersecurity context, APIs necessitate a certain level of security due to API Sprawl, a type of vulnerability caused by the widened risk surface generated by the simple act of requesting and receiving information across platforms and data sources.
After all, a single point of data with no access to any interconnected, online systems is about as secure as it gets without direct interaction with its host system; in this context, isolation equals security. It is when information is opened up and shared with a network or API ecosystem that you introduce security vulnerabilities that must be proactively addressed.
Functions of APIs in data security
One of the basic functions of an API in ensuring security is thereby authentication and authorization—this is where we see API’s function as Gateways.
Authentication refers to the process of verifying client identity when API access is requested.
Methods include key authentication such as HTTP, OAuth tokens, and JWT (JSON Web Tokens). Any token in an API context refers simply to the code authenticating the client’s request from the provider (or ‘owner’). Access tokens are transmitted over (e.g.) HTTP securely during login attempts.
To provide an example of such a request—or API call—we could consider a login to something like a social media account. An access token is used by the client (the person attempting to sign in) in the process of sending a request for the resources held by the provider. The token’s parameters determine the access level the client will be granted pending authorization.
It is because tokens can request different access levels that a secure API transaction is able to consistently and reliably tell apart (e.g.) a regular user of a social media platform from an administrator or other employee.
To clarify the distinction between authentication and authorization, authentication verifies identity while authorization determines access level. Common authorization methods include Attribute-Based Access Control (ABAC), Role-Based Access Control (RBAC) and Privileged Access Management (PAM).
Additional API security concepts: Throttling, encryption, validation and more
Other key concepts in API functionality and security include (but are very much not limited to) rate limiting and throttling, encryption, validation, encoding, logging and monitoring.
These concepts, respectively, allow APIs to limit the number of requests APIs can make without stressing out the server (thereby throttling or slowing down requests if a limit is reached), protect data by encoding it (Transport Layer Security, or TLS, is a common transmission encryption method), validate that any data received meets appropriate standards (which can include preventing injection attacks), and keep track of API usage, including pattern logging and monitoring for security purposes (e.g., detecting suspicious use patterns).
Zooming out, API Management describes any given system meant to publish, observe, test, or otherwise mediate and secure an API or set of APIs. These are situated within API Management Frameworks comprised of several management processes interacting with one another. Teams will typically manage said APIs via API Portals and Catalogues meant to assist in both the access and indexing of API data.
All of it comes together to form API Ecosystems, which can be vast and, as a result, also prone to an exceedingly wide range of attacks across their massive threat surfaces if not properly secured. Smart API Governance can help to mitigate those risks on a level that encompasses multiple ecosystems and their overall development.
API security best practices: Types of API standardizations
One of the key benefits of using modern APIs is standardization. Today’s APIs adhere to standards such as Representational State Transfer (REST), Simple Object Access Protocol (SOAP), GraphQL and several others (WebSocket, gRPC and MsgPack) often transmitted via (e.g.) HTTP.
By relying on these standards, software development and cybersecurity teams can assume parameters that allow for better-managed performance, scaling, and security.
Perhaps the most ‘traditional’ type of API standard is REST, collectively known as RESTful APIs. These combine client and server-side architecture and enforce a level of uniformity at the interface level, with a wide range of implementation options for developers. ‘Headers’ and ‘parameters’ that can include critical information such as metadata and cookies are transmitted over HTTP (JSON, XLT, etc.).
Popular for its (relative) simplicity, versatility, speed, and adaptability, REST is the most common as of writing.
Two other common, important API standards are SOAP and GraphQL. SOAP connects (e.g.) different operating systems via HTTP and, specifically, Extensible Markup Language (XML), specializing in secure data such as passwords and other types of sensitive account information.
It differentiates from REST insofar as it can be described as a ‘stricter’ protocol that—while still utilizing HTTP—generally must also provide XML documentation and other attributes in their requests.
SOAP’s widespread usage predates REST, but REST has become the new ‘standard’ in the 2010s and beyond. Even more recent, however, is GraphQL (sometimes instead referred to as Graph API); developed by Meta (formerly Facebook), GraphQL now serves as the primary method by which apps read and write for Meta’s platforms, a not-insignificant amount of all the traffic online today.
Best practices in API security: a checklist
Why an organization should prioritize API security may be apparent just by watching the news: cybersecurity attacks impact private and public organizations on a daily basis, with some high enough profile that they lead to lawsuits, extreme damages, and even arrests.
If an organization handles a lot of sensitive customer data—and if handling payments or PII of any kind, the answer is automatically an emphatic yes—security is more than a pragmatic consideration. It is an obligation.
It is because a failure to properly ensure any one of the API security functions described above can result in an API vulnerability that your API security approach and partnerships need to be comprehensive.
Furthermore, each of those functions interact with one another in key ways; for example, insufficient logging results in poor log integrity.
This in turn complicates the validation process described above, compromising the APIs ability to ensure incoming data meets all security standards. A failure to validate data that is, in fact, not safe can result in an injection attack.
A famous injection attack involved the c-store brand 7-Eleven, where 130 million credit card numbers were stolen via SQL Injection (SQLi). To say nothing of the significant legal and financial liabilities implied by such breeches, the damage to brand reputation can be lasting and difficult to calculate the cost of.
We are providing a checklist of some of the best practices in API Safety today to help organizations moving forward into an often uncertain 2024 and beyond better guarantee their data protection.
It is because many of these security concepts are so interconnected that much of the latter portion of this list will be comprised of simply ensuring you are actually performing the above functions properly, something no cybersecurity, executive, or management team should take for granted.
More than anything, ensuring you engage in all of the above and more consistently, every day, no matter how monotonous, is essential. While threat actors only have to get it right once to succeed, as an organization conducting legitimate business, you need to repel attacks every time, every day.
That’s why investing in the best API security team or partner available to you is the best investment you can make moving forward into the API security landscape of tomorrow, one once only imagined in science fiction.