Because I have spent my entire career in the world of APIs and Internet applications, I have seen first-hand some of the vulnerabilities that can exist with APIs.
According to a recent Gartner CIO and Technical Executive survey, cyber and information security are at the top of the list for planned investments in 2022. Do you think your APIs are secure?
Let’s start with some basics.
What is API security?
The simple answer is that it is about applying and managing security for your APIs. But we all know there is nothing simple about API Security.
In 1983, there was a movie called War Games about a boy, David, played by Matthew Broderick, who hacks into NORAD's Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world.
According to journalist Fred Kaplan, after seeing a special screening of the movie "War Games," then-President Ronald Reagan asked the US Military Joint Chiefs of Staff if something like this could really happen. He asked, "Could someone just break into our most sensitive computers?"
A week later, the General’s response was: "The problem is much worse than you think." From that moment on, U.S. cybersecurity and defense policy would never be the same.
Fast forward almost 40 years and everyone with a smartphone now has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks, malicious or not.
Fortunately, there is a lot that you can do to protect your APIs (and in turn your company) against hacking. We will be covering them in upcoming articles in our API Cybersecurity 101 series.
There are some key weapons to defend your systems from attacks by API hackers and intruders. The core of your API security is going to be an API gateway. An API gateway can provide protection against a lot of things including denial-of-service (DoS) attacks. They can also provide API monitoring, logging and API rate limiting. They can restrict traffic based on IP addresses and other metadata, handle security token validation and much more. The API gateway makes it easy to create, maintain, monitor and secure your APIs.
Web application firewalls (WAF)
The web application firewalls (or WAF) stands between the public traffic and your API gateway or application. A WAF can give you some additional protection against things like bots by using security rules, machine learning and sometimes, artificial intelligence. They can provide malicious bot detection, identify attack signatures and provide additional IP intelligence. A WAF can block bad traffic before it even reaches your gateway.
Standalone security products
There are also standalone security products. These products support features that can be broken down into categories such as real-time protection, static code and vulnerability scanning, build-time checking and security fuzzing.
Many of the security products in the market will support features in some or all these categories.
Security in code
Finally, we have security that is internal to the API or applications themselves. I am not going to go into this very much on this article, but I will simply point out that the resources required to ensure that all the security is properly implemented in your API code can be difficult to apply consistently across your entire API portfolio.
API security precautions
With any security feature or product, it is important to remember that security is a moving target. You need to know that the product (or products) that you use will stay up to date in protecting you against the latest vulnerabilities.
But doesn't an API Gateway implement "security as a feature?" Yes. And it is a critical part of your API management security strategy. API gateways integrate with, and work well with, standalone API security products and WAFs to provide solid and comprehensive protection for your APIs. Leaving out the core part of your API security strategy, such as an API gateway —a component that probably knows more about your APIs and the context of your traffic than any other system —is a really bad idea.
If you only focus is on using WAFs or external security products and you ignore (or misconfigure) the protection provided by your API gateway security, you could be leaving yourself wide open for an attack. Don't leave yourself vulnerable!
API Security Black Box?
All of this only reinforces the fact that there is not a one-size-fits-all solution for API security. You can't just buy an "API security black box" from Best Buy, plug it in, and suddenly everything is protected.
To implement a proper API security solution, it is important to understand your APIs, the third-party APIs you use, and the functionality and value your APIs are adding to your organization. This will help you better grasp how API security ties into integrations with your partners and users. API security is still one area that will require you to spend some time and resources to ensure it is implemented, (and CONTINUES to be implemented) correctly.
Security for API integrations
When you are looking at your API ecosystem, don't forget about API integrations and the third-party APIs that you will be integrating with. If these third-party APIs, or the integrations themselves are insecure, your data, internal systems and APIs could be compromised. Using a solid API integration solution (like Software AG's webMethods.io) with a proven track record can not only protect your API integrations but also works seamlessly with your API gateway platform.
API Cybersecurity 101
To better equip organizations and help individuals better protect themselves and their APIs, we have created a new series of videos and blog posts called API Cybersecurity 101. The purpose of this series is to educate and equip everyone from developers to executives with the resources they need to shield and protect their APIs.
And take a look below at the Top 10 OWASP Vulnerabilities for API Security Explained!