Application Programming Interfaces (APIs) have become prolific as a critical component of delivering modern applications. Applications are typically now being written to provide a front-end experience to users and rely on APIs on the backend to perform specialized functions or grant access to data that is used by the application. The user sees and interacts with the front end of the application without realizing that all the information that is passed on by the application is being gathered through APIs.
This is the case for browsers, web servers, mobile applications, gaming, streaming services, etc. Applications can be brought to market more quickly by using APIs to reduce the amount of new development necessary. APIs also allow developers to quickly make changes or additions to existing applications. Because of all this, the number of APIs continues to grow at an increasing rate, raising several API challenges.
Why API security is important.
This dependence on and growth of APIs brings with it an increased risk of security exposure as each externally facing API increases your potential attack surface. Malicious actors are aware that APIs offer another potential entry point through security defenses and that it is common for sensitive data to be stored within API access. This, coupled with the fact that APIs tend to have less mature security defenses in place than applications, makes them a prime target for attackers.
The other challenge with APIs is that they are relatively easy to develop and deploy on the Internet, thanks to cloud-based hosting services. This has created an environment where independent business units or groups within a business unit will create their own APIs for projects that they are working on, sometimes inadvertently exposing sensitive data. The intent may be to use the site temporarily during development, but as priorities and personnel shift, many of these APIs are left in place indefinitely. These “shadow” APIs are difficult for IT organizations to discover or manage, creating a blind spot in a company’s defenses.
What are the pillars of API security?
Businesses are turning towards API security solutions to help protect this part of their application landscape. According to a recent MarketandMarkets report, the API security market is in heavy growth mode at $744M in 2023 and growing at a 32% Compound Annual Growth Rate. This includes a variety of solutions ranging from passive monitoring and risk management to active detection/blocking of threats across both software and services.
It is a complex landscape of options that can confuse and overwhelm prospective buyers who are looking to reduce their risk. Here’s some guidance on why API security is important and the top areas a buyer should consider when deciding on an API solution and the considerations under each area:
Software/hardware or SaaS-based solutions.
API security solutions can be delivered as appliances that are deployed in a company’s data center, as software that can be deployed in a company’s data center or cloud environment, or as a hosted SaaS-based solution in the cloud. The most appropriate solution for an environment will largely depend on the resources available to manage the solution. If a business lacks systems administrators and network engineering resources, the better choice will be a hosted SaaS solution so that the buyer would only need to focus on the tool itself, allowing someone else to do the installation, network management, and lifecycle maintenance of the software.
Latency is also a consideration, although it is rarely a major factor as neither solution introduces significant latency to the API. On-premises and cloud solutions can be deployed directly adjacent to the API source, and SaaS solutions are often deployed in cloud environments very close to the source of the APIs or on the network edge very close to users of the API.
Self-managed, installation assistance, or managed solutions.
Regardless of whether it is a SaaS service or on-premises deployment, API security products and services can be offered as self-managed, with some professional services included, or fully managed. The decision on which of these would be most appropriate is dependent again on available resources.
Organizations that have larger security teams with appropriate expertise can tailor API defenses to their specific needs and operational practices while taking advantage of the cost advantages of self-managed solutions. However, many organizations lack the resources with the appropriate expertise to make effective use of the tool or service. These organizations could benefit from purchasing additional professional services to help with initial and ongoing configuration and tuning of the policies. When no resources are available, a fully managed service, although generally more expensive, may be the best option.
API discovery.
As mentioned previously, shadow APIs are a major risk factor for businesses as you cannot protect what you don’t know about. As such, the first thing that needs to be learned is what APIs your business is exposing to the internet. This can be done passively through SaaS-based tools that will learn your API landscape by scanning for common and uncommon API endpoints within your domain. With nothing to install, a cloud-based API scanner can quickly provide a lot of value in discovering otherwise unknown APIs.
However, it will also be limited to discovering APIs and endpoints that follow common naming conventions. An API called “API_&^contains#$sensitive@+info.api.xyz.com” is probably not going to be discovered passively, but it still may have data exposed or be vulnerable to attacks if a bad actor discovers it. For this reason, passive or in-line proxy-based API runtime analysis is a good complementary solution. API runtime analysis can be used to monitor and record what API endpoints are actually receiving queries for a given domain. This can discover active APIs that the passive API monitoring tool may not have caught.
API schema conformance.
API schemas are the public-facing and machine-readable documentation of APIs and are used to enumerate and describe all the endpoints of the API along with their functions. It is a good practice to consistently check APIs against their published schema to ensure that all defined endpoints are validating input consistently with the schema, as APIs that accept invalid requests are vulnerable to abuses and exploits. It’s also immensely important to detect when an active API or endpoint is not included in the published schema, as this could signify, at best, a missing component in the API documentation and, at worst, an undocumented, unsecured shadow API.
API risk management.
Many APIs are used for processing sensitive data such as credit card numbers, usernames and passwords, Personally Identifiable Information (PII), and confidential company information. When this is the case, special care must be taken to ensure the confidentiality of this information is maintained. An API risk posture management solution monitors the types of information available in an API and detects potential data exposure through exposures such as a lack of sufficient authentication or encryption of data.
API attack detection/mitigation.
APIs are critical to applications, and they are potential ingress points into the application or business network. Threat actors recognize this and often make APIs the target of attacks and fraud. Bots are often employed to continuously scan, monitor, and attack API infrastructure. They are also used to conduct activities such as brute force attacks, credential stuffing, content scraping to gain intelligence from the API, DDoS attacks to take down the API, and scanning to identify vulnerabilities that allow access to the data behind the API.
Having the ability to detect any of these threats and apply some type of countermeasure, such as blocking or re-directing the request, is the most important component of maintaining the security of APIs. The detection and countermeasure capabilities must also cover the full extent of the threat, including the prevention of fraud, advanced bot management, and blocking of common API attacks such as those documented in the OWASP Top 10. This is an area where the lines are blurred between applications and APIs, as attacks can be levied against either or both. It is, therefore, important that a solution addresses both areas.
API proxy versus passive monitoring deployment.
API solutions can be deployed as a proxy in-line with the API traffic or as a solution that passively monitors API traffic as it goes across other network infrastructure. There are several strong advantages in deploying API security as a proxy. A proxy can directly terminate SSL so it is simpler for the proxy to unencrypt the traffic and inspect it. Since all traffic can be inspected in real-time, it can be blocked in real-time.
A proxy can also be used as a direct enforcement point blocking or re-directing the API request or modifying the API request as required. Passive monitoring deployments can be effective but have several drawbacks. First, they require that an in-line device, such as a WAF or API gateway, unencrypt the traffic for inspection and send the resulting traffic to the passive monitoring system. If an API request is detected as malicious, a rule would then need to be pushed to an in-line device so that future requests of the same type are blocked.
This is generally a much slower time to block than proxies and will often let some attack traffic through before the traffic can be identified as malicious and blocking takes place. It also requires complex integrations between products that often come from different vendors.
API testing.
Synthetic API testing is a strong complement to any API security solution as this allows you to understand the behavior of APIs regardless of whether there is any traffic going to them. As new APIs are rolled out and others are modified, an API testing solution gives you the ability to detect any issues or unintended data exposure within your known APIs.
Get the most from your API security.
As is probably evident from the length of this post, there are a lot of considerations involved in choosing the most appropriate API security solution for your business. There are a lot of different solutions in the market ranging from point products for a specific function to comprehensive platforms such as Vercara’s recently announced UltraAPI that can provide most of the functions noted in this document. It is helpful to understand all the options so that you can make an informed decision to minimize your risk and maintain a comprehensive API security audit checklist that covers all areas of API security.
