API Cyber Security Explained!

Brenton House 🕵️‍♂️

Published in

Brenton House — Digital Strategist and Influencer

8 min readNov 1, 2021

Everything you need to know about API Security and Cybersecurity

So you think your APIs are secure?

You might want to take another look at your security.

APIs are everywhere and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments in 2022.

As someone who has spent my entire career in the world of APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.

This is part of the API Cybersecurity 101 series by Senior API Strategist, Brenton House.

What is API Security — API Cybersecurity 101 with Brenton House

So let’s start with the basics.

What is an API?

The acronym API stands for Application Programming Interface. Basically, it is non-human systems (or applications) that talk to each other in an agreed-upon way! Most often, people are talking about Web APIs, which includes things like REST, GraphQL, gRPC, SOAP, etc. The introduction of smartphones caused an exponential growth and adoption of APIs as pretty much every single mobile application uses APIs.

What is API Security?

The simple answer is that it is about applying and managing security for your APIs but we all know, there is nothing simple about API Cybersecurity.

In 1983, there was a movie called War Games that was released to theaters. You may have never heard of the movie but it was about a boy, David, played by Matthew Broderick, who hacks into NORAD’s Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world, at that time.

President Ronald Reagan — API Cybersecurity 101

According to journalist Fred Kaplan, After seeing a special screening of the movie “War Games”, then-President Ronald Reagan asked the U.S. Military Joint Chief of Staff if something like this could really happen. He asked, “Could someone just break into our most sensitive computers?” A week later, the General response was:

“The problem is much worse than you think.”

From that moment on, U.S. Cybersecurity and Defense policy would never be the same.

Fast forward almost 40 years and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks; malicious or not.

What most don’t understand is that API security starts with humans, not computers.

If someone puts their password on a sticky note attached to their monitor, it doesn’t matter how many security checks you do, how much security code you have in place, or what different security products you have installed.

There are, however, a lot of things that you can do to protect yourself and minimize damage from this and other forms of social hacking. We will be covering this in upcoming articles of our API Cybersecurity series.

OWASP Top 10 List for APIs

One thing you might have heard of and need to pay attention to is OWASP.

OWASP is the Open Web Application Security Project.

It’s an international non-profit organization dedicated to web application security.

What they are probably most well-known for is their re-occurring Top 10 list of Web Vulnerabilities.

But in addition to their lists of web vulnerabilities, they also came out with a Top 10 list for APIs. Now it is a few years old but all of these are still important factors to consider with your API Security.

The latest OWASP API Security Top 10 list includes:

API1:2019 Broken Object Level Authorization
API2:2019 Broken User Authentication
API3:2019 Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting
API5:2019 Broken Function Level Authorization
API6:2019 Mass Assignment
API7:2019 Security Misconfiguration
API8:2019 Injection
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging & Monitoring

Inside these topics, you are going to discover even more details that you need to be familiar with and understand.

API Keys
API Logging
API Injections
API Hackers
Zero Trust APIs
Shadow APIs
API Access Control
API Security Testing
JWTs
OAuth and OpenID Connect
Identity and Access Management
Multi-Factor Authentication
API Observation
API Threat Detection
And more…

I will be covering all of these items in the OWASP API Security Top 10 list in detail in upcoming episodes of API Cybersecurity 101.

API Gateway

There are some key weapons that you can arm yourself to defend your systems from attacks by API Hackers and intruders. The core to your API cybersecurity strategy is going to be an API Gateway. An API Gateway can provide protection against a lot of things including Denial of Service attacks. They can also provide API Monitoring, Logging, and API Rate Limiting. They can restrict traffic based on IP addresses and other metadata, handle security token validation, and much more. The API Gateway makes it easy to create, maintain, monitor, and secure your APIs.

Web Application Firewall (WAF) for API Cyber Security

Web Application Firewalls (WAF)

The Web Application Firewalls (or WAF) stands between the public traffic and your API Gateway or application. A WAF can give you some additional protection against things like bots by using security rules, machine learning, and sometimes, artificial intelligence. They can provide malicious bot detection, identify attack signatures, provide additional IP Intelligence. A WAF can block bad traffic before it even reaches your Gateway.

Standalone Security Products

Then there are also stand-alone security products. These products support features that can be broken down into categories such as real-time protection, static code and vulnerability scanning, build-time checking, and security fuzzing.

Many of the security products in the market will support features in some or all of these categories.

API Cybersecurity in JavaScript code Java .NET Go

Security in Code

Last, we have security that is implemented internally to the API or applications themselves. I am not going to go into this very much on this article but I will simply point out the resources required to ensure that all the security is properly implemented in your API code can be difficult to apply consistently across your entire API Portfolio.

Cybersecurity Precautions

With any security feature or product, it is important to remember that security is a moving target. You want to know that the product (or products) that you use will stay up-to-date in protecting you against the latest vulnerabilities.

But doesn’t an API Gateway implement “Security as a Feature”? Yes. And it is a critical part of your API Management security strategy. API Gateways integrate with and work well with standalone API security products and Web Application Firewalls to provide solid and comprehensive protection for your APIs. Leaving out the core part of your security strategy, such as an API Gateway, a component that probably knows more about your APIs and the context of your traffic than any other system, is a really bad idea.

If your only focus is on using Web Application Firewalls or external security products and you ignore (or misconfigure) the protection provided by your API Gateway security, you could be leaving yourself wide-open for an attack.

Don’t leave yourself vulnerable!

API Security Black Box?

All of this only reinforces the fact that there is not a one-size-fits-all solution for API Cybersecurity. You can’t just buy an “API Cyber Security black box” from Best Buy, plug it in, and suddenly everything is protected.

To implement a proper security solution for APIs, it is important to understand your APIs, the 3rd-Party APIs you use, and the functionality and value your APIs are adding to your organization. This will help you better grasp how API Security ties into integrations with your partners and users. API Security is still one area that will require you to spend some time and resources to ensure it is implemented, (and CONTINUES to be implemented) correctly.

Security for API Integrations

When you are looking at your API ecosystem, don’t forget about API Integrations and the 3rd Party APIs that you will be integrating with. If these 3rd Party APIs or the integrations themselves are insecure, your data, internal systems, and APIs could be compromised. Using a solid API Integration solution (like Software AG’s webMethods.io) with a proven track record can not only protect your API Integrations but work seamlessly with your API Gateway platform.

API Cybersecurity 101

To better equip organizations and individuals better protect themselves and their APIs, We’ve created a new series called API Cybersecurity 101. The purpose of this series of videos and blog posts is to educate and equip everyone from developers to executives with the resources you need to shield and protect your APIs. You can check out our API Cybersecurity video series on YouTube on the API Shorts channel: https://youtube.com/apishorts

About Brenton House

Brenton House is Vice President of Digital Evangelism at Software AG. As an API and Digital Transformation Evangelist and Strategist, he has connected enterprises with API solutions and microservices, to help drive innovation and overall business growth for many organizations.

In his 25+ years of experience, he has worked across many industries including broadcasting, advertising, retail, financial services, supply chain, transportation, technology, and publishing — gaining a breadth of knowledge on all things APIs and Integrations. His diverse experience set and unique creative skill sets have enabled him to equip organizations in creating captivating and innovative products that delight users.