Alex - stock.adobe.com
How to build an API security strategy
Lax API protections make it easier for threat actors to steal data, inject malware and perform account takeovers. An API security strategy helps combat this.
The rapid adoption of APIs, which enable easy integration of systems, helps developers build platforms at a greater velocity than ever before. However, API security is sometimes an afterthought, which has led to a corresponding increase in successful attacks against APIs.
While most organizations have a software security strategy, it often does not adequately address API security specifically. Existing software security tools, such as dynamic and static application security testing, are far less effective against API codebases, and conventional approaches often can't detect many of the top API security risks.
Organizations can't leave API security to chance; they need an API-specific security strategy.
Create an API security strategy: Getting started
Before formulating an API security strategy, stakeholders should ask why they need one. Perhaps it's to address specific regulatory requirements, such as PCI DSS or Payment Services Directive 2; improve security posture; protect critical assets; or respond to an incident. A clear understanding of the why shapes the API security strategy's scope, pace and tactics.
A defining characteristic of API security is that it often involves more stakeholders than traditional software projects. Additional stakeholders could include API product owners, API platform teams and data protection teams. Include input from as wide a range of stakeholders as possible.
After establishing the purpose and stakeholders, it's time to create an inventory, prioritize risks, make quick improvements and implement threat modeling.
Create an API inventory
APIs are everywhere in modern technology stacks and are relatively simple to create and deploy. This means organizations typically have more APIs than they realize -- and lack a complete API catalog.
Create an API inventory to understand the extent of API usage. Ask the API gateway team for a list of APIs and examine code repositories for API specifications.
Conduct an API risk assessment
Once an inventory is complete, conduct a risk assessment to prioritize the APIs. Unless an organization has unlimited resources, it likely cannot secure all APIs from the outset. Focus on the most critical APIs so the API security strategy can deliver improvements to the most critical business assets as soon as possible.
Rank APIs using the following measures:
- Data sensitivity. Prioritize APIs that host highly sensitive data, such as personally identifiable information.
- Business impact. Prioritize APIs that serve the most critical business functions, such as an airline ticketing back-end API.
- Technical risk factors. Prioritize APIs hosted on obsolete or unsupported systems, such as legacy hardware.
Consider API security posture for quick wins
It is important to show early progress to win support from stakeholders. APIs have a lot of areas to find quick wins that can lead to significant improvements in security posture. Consider the following:
- Run a network vulnerability scan to identify exposed APIs without transport security or those missing authentication.
- Audit the existing API gateway implementation and enable all security features with sensible policies. This can be done centrally and globally -- and it can be a quick, efficient security improvement.
- Audit network traffic logs for suspicious activity, such as frequent 403 errors or 429 rate-limiting errors that indicate attacks on APIs.
Secure APIs via threat modeling
Threat modeling is a key component of any security strategy. It aims to identify the attack surface, architecture and implementation details and potential weaknesses. For APIs, conduct threat modeling at the organization level -- on SaaS platforms, API gateways, authentication, etc. -- and on individual APIs by focusing on design and implementation faults that can lead to security risks.
Build and execute the API security strategy
There is no one-size-fits-all API security strategy. An organization's specific motivations for API security will drive the elements of its strategy. For example, organizations in highly regulated industries should focus primarily on governance, while organizations recovering from a breach will likely focus more on protection.
A holistic API security strategy generally focuses on the following six core pillars:
- Inventory. Keep an up-to-date inventory to maintain visibility of the attack surface. Focus on how new APIs are introduced to the organization, monitoring of code repositories for APIs and runtime detection of API traffic.
- Design. Use a shift-left philosophy to design APIs, focusing on key areas such as authentication, authorization and data privacy requirements. Enforce the use of a design-first approach via OpenAPI specifications, which allow automated linting tools to analyze APIs' code and send alerts about any issues discovered.
- Development. Extend existing secure development guidelines to include API specifics, such as configuring libraries and frameworks to be secure by default, using centralized authentication and authorization, and other defensive coding practices.
- Testing. Automated and continuous testing of APIs for security defects can dramatically improve API security for DevSecOps teams. Automated tests can identify authentication and authorization issues, excessive information exposure, input validation issues and missing rate limiting. They can also identify deviations from the OpenAPI specification and invalid responses or status codes. These tests are executed in near real time with immediate and accurate feedback, making them well-suited to continuous integration/continuous delivery pipelines.
- Protection. To bolster API security, employ runtime protection of APIs using API gateway features or API firewalls. Enforce JSON Web Token validation, secure transport and brute-force protection. Integrate API logging into SIEM systems and monitor it proactively in the security operations center.
- Governance. An API security strategy should include governance of API development. Having API security controls and best practices defined as part of a strategy also requires a governance process to ensure such controls are deployed and enforced uniformly across the organization.
When devising a strategy, consider the initial scope, which can encompass two approaches:
- Deep and narrow, where a narrow scope of APIs is selected for an in-depth focus.
- Shallow and broad, where all APIs are in scope for the strategy.
Generally, going broad first and then sharpening the focus works well for most organizations.
After defining the strategy, the final step is clear and open communication with all stakeholders. These should include the reasons for the initiative, focus areas, timelines and expectations from relevant stakeholders. Also, include details of operational aspects, such as tracking and reporting.
Track progress of the API security strategy
To track the strategy's success over time, measure various metrics to determine performance and progress. Metrics fall into two main categories:
- Process metrics. These include percentage coverage, compliance, exceptions, time to remediate, APIs protected, etc.
- Technical metrics. These include counts of flaws identified, categories of flaws, issues detected, etc.
Establish a performance indicator for each metric and track its progress using central dashboards.
Colin Domoney is a software security consultant who evangelizes DevSecOps and helps developers secure their software. He previously worked for Veracode and 42Crunch and authored a book on API security. He is currently a CTO and co-founder, and an independent security consultant.
