Share this article on:
When it comes to achieving effective IT security, many organisations often overlook a potential point of weakness in their infrastructures – APIs. Ashley Diffey from Ping Identity explores.
Application programming interfaces (APIs) allow applications to request data from or provide data to other applications. If that application is targeting consumers, employees or partners, the client-side portion (such as a mobile app) interacts with the server-side portion via an API.
Usage of APIs has increased significantly during the past few years. This trend has been fuelled by digital transformation and the central role that APIs play in both mobile commerce and the internet of things (IoT). This, in turn, is leading to API security becoming a serious concern.
API security includes access control and privacy, as well as the detection and remediation of attacks. These attacks can occur through the reverse engineering of the APIs and subsequent exploitation of exposed vulnerabilities.
These vulnerabilities occur because APIs are often available over public networks and tend to be well documented. Also, because these are highly sensitive to denial of service (DDOS) attacks, APIs are attractive targets for bad actors.
According to analyst firm Gartner, by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. The firm recommends organisations adopt a continuous approach to API security across the development and delivery cycle and design security directly into APIs.
Protective measures
Thankfully, APIs do achieve some protection through security measures an organisation is likely to already have in place. For example, these are often behind a firewall, and some may also be behind an additional web-application firewall (WAF). A WAF can scan API traffic using signature-based threat detection, looking for things such as SQL injections and other attacks.
API gateways also play a role in threat detection. A gateway might enforce a strict schema on the way requests are handled and will look for deep nesting patterns and xml bombs and apply rate limits in addition to acting as a policy enforcement point.
In the end, security is everybody’s job because APIs touch backend services, databases, and other parts of an organisation’s IT infrastructure. This, in turn, means that every component needs to be secured.
Measures should start at the transport level with using SSL (HTTPS) and enforcing TLS 1.2. There is also a need to get rid of things like HTTP basic authentication.
Security best practices
When it comes to effectively securing APIs, there are a range of best-practice measures that can be applied. These include:
Detecting and stopping API breaches is only part of an effective response to threats. Each incident also needs to be forensically recorded to ensure a complete picture can be created of exactly what has taken place. This will allow security teams to review existing protective measures and determine where additions and changes need to be made.
APIs will continue to play a pivotal role in IT infrastructures for many years to come. Taking steps to ensure effective security is in place will allow associated benefits to be enjoyed and risks to be lowered.
Ashley Diffey is the head of APAC and Japan at Ping Identity.