APIs under attack: upgrade your security now

The API security threat is often underestimated. Many companies are still unaware of the security implications for APIs & are hit by surprise.

Matthias Biehl Matthias Biehl

The API security threat is often underestimated, as an increasing amount of security incidents painfully testify.
APIs are quickly becoming the primary attack vector for enterprise IT systems. Too many organizations are still unaware of the security implications for APIs, and are hit by surprise – don’t be one of them!

Growing awareness for API security

We know APIs are THE enablers for digital business – that is why more and more organizations invest in their API portfolio, building more and more APIs for mobile, IoT, web and partner integrations. This development is reflected in API traffic now making up 83% of Internet traffic. And in the race to win digital business, organizations build APIs faster than ever. It is important not to let quality, non-functional aspects and, especially, security out of your sight.

On the one hand, APIs make it easier for customers and partners to connect and exchange data but, on the other, when not properly secured, APIs make it easier for hackers to exploit applications and data. Insecure APIs can be a substantial risk factor and can quickly undermine your customers’ trust and your efforts in building a digital business.

API security is everyone’s concern – not only the security department. Architects, developers, testers, security experts, operations and product managers all need to be aware of API security threats and work together to deliver secure APIs.

How to adapt to the new reality?

Creating awareness for security issues in APIs is the first step, but this needs to be followed up with managing and governing APIs, sophisticated API security engineering practices, API security testing, and secure API operations.

The first level of defense – managing APIs on an API management solution – allows you to govern your APIs and apply consistent security policies, such as authentication, coarse-granular authorization, data validation, threat protection, and throttling of API requests.

As attackers raise the bar, you need step up your game for API security.

The OWASP Top 10 for API Security show new security threats – mainly based on logical errors in the API business logic. To catch them, upgrading your security engineering and testing practice is often required.

But these new and more rigorous API security practices should not slow down the creation and deployment of your APIs. If you want to keep your pace of cranking out APIs to support your digital business, but also want to increase the security of your API portfolio, you need to invest in specialized automated tools for API security, such as Noname Security.

Noname Security is a partner of Software AG and its security tool complements webmethods API management. If you want to dive deeper into best practices for APIs and the tools that help you automate many of the tasks, watch my interview with David Thomason from Noname Security.