Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 Features an API Security Service Needs to Offer
Securing APIs is specialized work. Here's what organizations should look for when selecting an outside partner.
Application programming interfaces (APIs) are a powerful technology that allow businesses to innovate faster and keep up with the demanding pace of the market. But they also come with their own set of challenges. Not only do APIs expand the attack surface, they also expose new entry points to disrupt services and gain access to data, including personal identifiable information (PII).
In most API-related incidents, breaches occur via relatively simple technical means. Most often, the root cause of these breaches is one or more poorly secured API endpoints. The news is not all bad, however. Businesses can take straightforward steps to greatly improve their API security.
Given the complexity of properly securing APIs, many businesses opt to work with a trusted partner. This approach certainly has its advantages, though it is important for buyers to understand how to evaluate and differentiate myriad API security offerings. To help with this, I'd like to share 10 must-have features that all API security providers should offer.
1. API Visibility and Discovery
Before an API can be secured, it must be known. For a variety of reasons, API endpoints are often created without the IT or security team's knowledge. When this happens, those APIs are not part of asset management, and they are also not properly subjected to security and compliance policies and controls. Thus, API visibility and discovery is the first step in API security, and it is a must-have for any API security provider.
2. Schema Validation
Ensuring proper API behavior based on valid input and output is an important part of an overall API security approach. Attempting to breach APIs or cause improper output from APIs through the use of invalid or improper input is a popular technique used by attackers. Requiring that all API requests and responses comply with schema and all specs is an important step in protecting those APIs from attacks and breaches. This is definitely another area where an API security solution can help.
3. Policy Enforcement
Properly defined, intelligent security policies are great, but without strict enforcement, they are ineffective. Enforcing API security policies — rate limiting, IP reputation, allow/deny list, etc. — is a must for any API security provider.
4. Safeguarding of Sensitive Data
One of the main vulnerabilities of poorly secured APIs is the leaking of sensitive data, such as PII. As such, using APIs to pilfer this data is another path for attackers. Safeguarding this sensitive data involves ensuring the APIs are properly coded and secured, as well as verifying that sensitive data is not inadvertently or improperly being transmitted or leaked from the API. Safeguarding sensitive data should be a part of any API security solution.
5. Abuse and DoS Protection
When people think of protection against abuse or denial-of-service (DoS) attacks, they often think about Layers 3 and 4 of the OSI model. Unfortunately, the application layer (Layer 7) where APIs live is sometimes forgotten. Attackers are tuned into this and are always ready to pounce, making Layer 7 protection against abuse and DoS a must.
6. Attack Protection
Attackers are constantly on the lookout for ways to compromise and exploit APIs. A mature API security solution will include signature-based, anomaly-based, and artificial intelligence/machine learning (AI/ML)-based protection against a wide variety of attacks.
7. Access Control
Believe it or not, even in 2023, improper access control, including authentication and authorization, remains one of the main issues plaguing APIs. Whether due to oversights, human errors, haste, or any other reason, improperly controlled access to APIs can have devastating consequences. A good API security solution will provide authentication discovery services (allowing authentication gaps to be discovered), authentication enforcement, and API access control.
8. Malicious User Detection
One useful application of AI/ML is to study, analyze, and draw conclusions about the behavior of clients interacting with APIs. Detecting and stopping users who appear to be malicious can help protect APIs from attack, compromise, and breach as part of an overall API security solution.
9. Configuration and Management
Improper configuration and management of APIs is responsible for far more breaches than it should be. The best API security solutions allow businesses to easily deploy and enforce the right security model. This, in turn, helps ensure that APIs are not misconfigured or mismanaged.
10. Behavioral Analysis
One application of AI/ML that is very relevant to API security is behavioral analysis. The analysis pours over the various logs collected from endpoints and APIs of an application. Sample request and response data examples for each API are studied and analyzed. This maps out the behavior of these paths and provides opportunity to generate and analyze key metrics, such as request size and response size, latency with and without data, request rate and error rate, and response throughput. This is an iterative process that continues over time and is continuously updated. Behavioral analysis should absolutely be part of any API security offering.
While APIs can open many doors for businesses, they can also introduce quite a bit of vulnerability and risk. By understanding the essential elements of an API security solution, buyers can ensure that they acquire a solution that meets their business needs, reduces risk, and improves their overall security posture.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024