The Absolute Musts of API Security

March 20, 2019
Jordan Griffith
Product Marketing Manager

As API adoption continues to increase, it is vital that you implement an API security strategy to handle the challenges introduced by these prime attack targets. But while IT and security teams accustomed to securing web applications have an arsenal of best practices to prevent, discover and mitigate threats at the application level, these approaches were not designed to detect or prevent attacks that exploit the unique vulnerabilities of individual APIs. 


So how do you know if your API security program has the necessary measures in place to stop this new category of threats? Consider the following questions:


  • Do you know about all APIs in your organization?
  • Are you able to track traffic on each API?
  • Can you detect anomalous behavior on each API?
  • Can you detect insider or external attacks on data and applications exposed via your APIs?
  • Do you know what clients are connecting to each API?
  • Can you perform detailed forensic or compliance reporting on each API?

If you answered “no” to any of these questions, it could indicate your organization’s API security plan is not enough and your APIs are vulnerable to attack. You need an effective API security strategy, one that builds off of traditional web application security practices but also includes measures to discover and stop threats specific to this new attack vector. 


To help you develop your API security strategy, Ping has compiled a foundation checklist of the “12 Things DevOps and IT Security Must Do to Protect APIs.” Below are four of the recommendations, which are expanded upon in this blog. 

#1 What you can’t see can hurt you, so find all your APIs

You can only protect what you know you have. Today, a major obstacle to IT and security teams implementing a comprehensive API security strategy is a lack of visibility into the APIs that are in their organization. Unfortunately, 51% of IT and security professionals are not confident that their security team knows about all of the APIs that exist in their organization.  


And, visibility shouldn’t be limited to the APIs that are accessed by partners or other third parties. You should also have knowledge of all internal APIs including those in development, production and testing, along with those legacy APIs left active for backward compatibility. Even APIs built for internal use only are at risk. Both insider attacks and bad actors that manage to breach your perimeter defenses through compromised credentials and other attacks represent threats to your internal APIs. Whether internal or external facing, all APIs can be taken advantage of and should be well secured. 


The importance of having complete awareness of all of the APIs in your organization is reinforced as the number of APIs increases at a rapid pace. Organizations today are responsible for more APIs than ever, with companies on average managing 363 APIs. As organizations are trending toward being API first, the probability increases that without the proper tracking mechanisms in place, APIs could be forgotten or accidentally exposed, leading to a possible breach.


You can prevent an API becoming a vulnerability by discovering all of the unknown APIs in your organization and cataloging known APIs. Use tools that can monitor traffic to find the APIs that your organization is using so your IT and security teams can protect your infrastructure. 

#2 - Always keep a close eye on your APIs

After you’ve made yourself aware of all of the APIs that are used in your organization, you’ll be in a better position to monitor APIs to detect suspicious behavior and block threats to your API infrastructure before they become breaches. Monitoring at the individual API level gives your organization the granularity to fully understand all of the activity around each API, including:

  • Who is accessing your API
  • How many times is your API being called in a period of time
  • Whether this behavior is normal

The last piece is essential, and your organization will need to understand what is considered “normal” or “anomalous” to be able to confidently respond. This relies on having enough traffic information on an API-by-API basis, because what is considered normal for one API might not be normal for another. For example, it could be normal for one API to be called 100 times in one minute, while that same traffic pattern could indicate a DDoS attack on a different API.  


It is important that your monitoring is detailed enough for your enterprise to understand what behavior is abnormal. Abnormal API behavior that is overlooked or undetected can mean a hacker can extend their access to your enterprise before you realize there has been a breach. By monitoring session and traffic information as part of an API security plan, your organization can collect data to be able to make these decisions. 


#3 - External API? Internal API? Doesn’t matter; they all need security

There are over 20,000 public APIs available for enterprises to consume to integrate applications and data. However, the traffic due to these APIs as found in a Netflix study contributed to less than 1% of total API traffic. The rest of the traffic is due to the hundreds of thousands of APIs that have been developed for internal or partner purposes only. 


Even though the majority of APIs are intended for internal use, however, this doesn’t lower the security threat they can pose to an enterprise. All APIs have the potential to become attack vectors, including public, private, partner, in development, testing and APIs for maintaining backward compatibility.  


Therefore, it is essential that both internal and external APIs comply with corporate API security policies. (Some organizations might be hesitant to apply security policies to internal APIs because they maintain the legacy assumption that what lives behind the firewall is safe, but this false sense of security could lead to a breach because supposed “good actors” might be bad actors in disguise.)


Engagement with IT and security teams is key in ensuring policy compliance, but a recent study showed that 27% of APIs proceed through development without IT security oversight. It is necessary to collaborate during the API development process to ensure that these teams know of the API’s existence and can properly assist you in implementing security measures. 

#4 - Have the latest technology on your side

Today’s hackers are leveraging the latest in artificial intelligence technology to plan and execute attacks on an organization’s vulnerable APIs. Current API security tools that IT and security teams use to prevent and detect cyberattacks on APIs can only partially defend an organization against these powerful technologies. API gateways, CDNs, WAFs and other traditional security measures provide foundational protection against threats with rate limiting, access control and network privacy settings—but these tools can fail to detect more granular attacks on APIs by hackers using stolen cookies, layer 7 DDoS attacks and data exfiltration or deletion. 


Take a page from the hacker’s playbook and enhance your current API security strategy by using artificial intelligence to discover, detect and disarm threats to your organization’s APIs. By using artificial intelligence, you can strengthen your API security practices with auto-discovery of all active APIs, modeling to determine if API behavior is abnormal and needs to be stopped, and detailed reporting for greater insight. Combine traditional API security practices with tools like PingIntelligence for APIs to use artificial intelligence to gain deep visibility into all API traffic, detect and block cyberattacks on APIs, and provide in-depth reporting on API activity.

Going beyond web app security

Clearly, relying on an API security strategy that is simply a “copy and paste” of a broadly applicable web application security strategy will not provide adequate protection against the sophisticated cyber attacks hackers employ today. To implement an effective API strategy, you must include measures that can meet the challenges of API security. 


To learn more about the specific steps your organization should take to ensure the security of your API infrastructure, download our checklist “12 Things DevOps & IT Security Must Do to Protect APIs.”