API Cyber Security Explained!
Everything you need to know about API Security and Cybersecurity
So you think your APIs are secure?
You might want to take another look at your security.
APIs are everywhere and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments in 2022.
As someone who has spent my entire career in the world of APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.
This is part of the API Cybersecurity 101 series by Senior API Strategist, Brenton House.
So let’s start with the basics.
What is an API?
The acronym API stands for Application Programming Interface. Basically, it is non-human systems (or applications) that talk to each other in an agreed-upon way! Most often, people are talking about Web APIs, which includes things like REST, GraphQL, gRPC, SOAP, etc. The introduction of smartphones caused an exponential growth and adoption of APIs as pretty much every single mobile application uses APIs.
What is API Security?
The simple answer is that it is about applying and managing security for your APIs but we all know, there is nothing simple about API Cybersecurity.
In 1983, there was a movie called War Games that was released to theaters. You may have never heard of the movie but it was about a boy, David, played by Matthew Broderick, who hacks into NORAD’s Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world, at that time.
According to journalist Fred Kaplan, After seeing a special screening of the movie “War Games”, then-President Ronald Reagan asked the U.S. Military Joint Chief of Staff if something like this could really happen. He asked, “Could someone just break into our most sensitive computers?” A week later, the General response was:
“The problem is much worse than you think.”
From that moment on, U.S. Cybersecurity and Defense policy would never be the same.
Fast forward almost 40 years and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks; malicious or not.
What most don’t understand is that API security starts with humans, not computers.
If someone puts their password on a sticky note attached to their monitor, it doesn’t matter how many security checks you do, how much security code you have in place, or what different security products you have installed.
There are, however, a lot of things that you can do to protect yourself and minimize damage from this and other forms of social hacking. We will be covering this in upcoming articles of our API Cybersecurity series.
OWASP Top 10 List for APIs
One thing you might have heard of and need to pay attention to is OWASP.
OWASP is the Open Web Application Security Project.
It’s an international non-profit organization dedicated to web application security.
What they are probably most well-known for is their re-occurring Top 10 list of Web Vulnerabilities.
But in addition to their lists of web vulnerabilities, they also came out with a Top 10 list for APIs. Now it is a few years old but all of these are still important factors to consider with your API Security.
The latest OWASP API Security Top 10 list includes:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Assets Management
- API10:2019 Insufficient Logging & Monitoring
Inside these topics, you are going to discover even more details that you need to be familiar with and understand.
- API Keys
- API Logging
- API Injections
- API Hackers
- Zero Trust APIs
- Shadow APIs
- API Access Control
- API Security Testing
- JWTs
- OAuth and OpenID Connect
- Identity and Access Management
- Multi-Factor Authentication
- API Observation
- API Threat Detection
- And more…
I will be covering all of these items in the OWASP API Security Top 10 list in detail in upcoming episodes of API Cybersecurity 101.
API Gateway
There are some key weapons that you can arm yourself to defend your systems from attacks by API Hackers and intruders. The core to your API cybersecurity strategy is going to be an API Gateway. An API Gateway can provide protection against a lot of things including Denial of Service attacks. They can also provide API Monitoring, Logging, and API Rate Limiting. They can restrict traffic based on IP addresses and other metadata, handle security token validation, and much more. The API Gateway makes it easy to create, maintain, monitor, and secure your APIs.
Web Application Firewalls (WAF)
The Web Application Firewalls (or WAF) stands between the public traffic and your API Gateway or application. A WAF can give you some additional protection against things like bots by using security rules, machine learning, and sometimes, artificial intelligence. They can provide malicious bot detection, identify attack signatures, provide additional IP Intelligence. A WAF can block bad traffic before it even reaches your Gateway.
Standalone Security Products
Then there are also stand-alone security products. These products support features that can be broken down into categories such as real-time protection, static code and vulnerability scanning, build-time checking, and security fuzzing.
Many of the security products in the market will support features in some or all of these categories.
Security in Code
Last, we have security that is implemented internally to the API or applications themselves. I am not going to go into this very much on this article but I will simply point out the resources required to ensure that all the security is properly implemented in your API code can be difficult to apply consistently across your entire API Portfolio.
Cybersecurity Precautions
With any security feature or product, it is important to remember that security is a moving target. You want to know that the product (or products) that you use will stay up-to-date in protecting you against the latest vulnerabilities.
But doesn’t an API Gateway implement “Security as a Feature”? Yes. And it is a critical part of your API Management security strategy. API Gateways integrate with and work well with standalone API security products and Web Application Firewalls to provide solid and comprehensive protection for your APIs. Leaving out the core part of your security strategy, such as an API Gateway, a component that probably knows more about your APIs and the context of your traffic than any other system, is a really bad idea.
If your only focus is on using Web Application Firewalls or external security products and you ignore (or misconfigure) the protection provided by your API Gateway security, you could be leaving yourself wide-open for an attack.
Don’t leave yourself vulnerable!
API Security Black Box?
All of this only reinforces the fact that there is not a one-size-fits-all solution for API Cybersecurity. You can’t just buy an “API Cyber Security black box” from Best Buy, plug it in, and suddenly everything is protected.
To implement a proper security solution for APIs, it is important to understand your APIs, the 3rd-Party APIs you use, and the functionality and value your APIs are adding to your organization. This will help you better grasp how API Security ties into integrations with your partners and users. API Security is still one area that will require you to spend some time and resources to ensure it is implemented, (and CONTINUES to be implemented) correctly.
Security for API Integrations
When you are looking at your API ecosystem, don’t forget about API Integrations and the 3rd Party APIs that you will be integrating with. If these 3rd Party APIs or the integrations themselves are insecure, your data, internal systems, and APIs could be compromised. Using a solid API Integration solution (like Software AG’s webMethods.io) with a proven track record can not only protect your API Integrations but work seamlessly with your API Gateway platform.
API Cybersecurity 101
To better equip organizations and individuals better protect themselves and their APIs, We’ve created a new series called API Cybersecurity 101. The purpose of this series of videos and blog posts is to educate and equip everyone from developers to executives with the resources you need to shield and protect your APIs. You can check out our API Cybersecurity video series on YouTube on the API Shorts channel: https://youtube.com/apishorts
About Brenton House
Brenton House is Vice President of Digital Evangelism at Software AG. As an API and Digital Transformation Evangelist and Strategist, he has connected enterprises with API solutions and microservices, to help drive innovation and overall business growth for many organizations.
In his 25+ years of experience, he has worked across many industries including broadcasting, advertising, retail, financial services, supply chain, transportation, technology, and publishing — gaining a breadth of knowledge on all things APIs and Integrations. His diverse experience set and unique creative skill sets have enabled him to equip organizations in creating captivating and innovative products that delight users.
Check out some of our other resources to continue learning more about APIs and Integrations!
⭐ Software AG Blog ▪ https://blog.softwareag.com
⭐ API Knowledge Portal ▪ https://knowledge.softwareag.com
⭐ Software AG Tech Community ▪ https://techcommunity.softwareag.com/
🎬 Software AG YouTube Channel ▪ https://youtube.com/softwareag
🎬 Brenton House’s YouTube Channel ▪ https://youtube.com/brentonhouse
🎬 API Shorts YouTube Channel ▪ https://youtube.com/apishorts
👇👇👇 FREE online API Maturity assessment here! 👇👇👇