With more APIs in existence today than ever before due to huge growth in the API economy, especially in the financial, IoT, transportation, logistics, banking, health care and social networking sectors, API security has never been so imperative. Exposed interfaces can allow access to sensitive data, evidenced by recent API attacks on top tech firms and government agencies such as T-Mobile, USPS, Google and Facebook. As countless companies undergo waves of digital transformation, they struggle to not only lock down their APIs, but to feel confident in their API security after an API is exposed.
At Big Compass, we have seen and heard many instances where businesses want to first innovate, create new APIs, and expose key pieces of data—and then worry about security. But API security is paramount in the daily operation and success of an organization. Therefore, we always recommend taking the time to plan for security first and develop an API the right way from the inception of a project.
Three Steps to Improved API Protection
The phrase “it prevents a major headache later” has never been so real. Big Compass recommends a few key steps to protect your organization.
1. Plan To Have A Plan
Answering questions around a long-term plan and having a well-thought-out design around API security is crucial to long-term success regarding exposing APIs. Many questions should be answered before creating a new API, and here are a few that bubble up to the top of the list:
Who should have access to this API?
What type of security will be implemented?
Is there a long-term maintenance and inventory plan in place?
What is the plan if an API gets attacked?
Is there a plan if an API is breached?
2. Start With The Basics
After answering the above questions and solidifying a plan, make sure you have the basics covered. Too many malicious bots trolling the internet are programmed to scan default ports, exposed usernames and passwords, access keys, private keys... and the list goes on. A few of the basics that should be covered are:
Monitoring and alerting for security anomalies
Encrypting data in motion using TLS and make sure a certificate management system is place
Don’t leave your API exposed! Implementing some form of security such as
Client and user authentication (OAuth, OpenID, FIDO2, MFA)
Structured content validation (schemas)
Rate limits and quotas
Security vulnerability review leveraging OWASP top-10 as a foundation
3. Have Complete Maintenance and Documentation
How do you secure something you don’t know about? Make sure you carry out a plan to have well-documented APIs and stay current on assets such as certificates, the latest ciphers and authentication versions. This will also help you audit your API environments in the future.
A Comprehensive API Security Strategy
Defending against API threats also requires an overall strategy for designing, developing and securing an organization’s APIs across all environments. To protect organizations from the latest wave of cyberattacks aimed at the unique vulnerabilities of individual APIs, Ping Identity and MuleSoft have partnered to provide one such solution.
MuleSoft Anypoint Platform API Security
API Manager is MuleSoft’s offering that allows apps running on the Mule runtime to enforce security policies and implement API management. In API Manager you can register new applications to gain access to a private API, provision security policies, enforce SLA management on an API, monitor and report on an API, and much more. Once an application is connected to API Manager, the Mule runtime securely communicates with API Manager to retrieve policies and report analytical data for secure consumption.
API Manager is an excellent tool to implement the following security policies, and there are many more to help protect an API along with the ability to implement custom policies.
Client ID enforcement – Only allow a set of known, registered clients access to your API
OAuth 2.0 access token enforcement using external provider – enforces and validates OAuth 2.0 token issued by an external provider
IP whitelist – whitelist an IP address or range of IP addresses
IP blacklist – blacklist an IP address or range of IP addresses
JSON threat protection – detects and protects against malicious JSON
XML threat protection – detects and protects against malicious XML
Rate limiting – SLA based rate limiting that does not allow requests beyond the maximum allocated per time period
Throttling – SLA based throttling that queues requests beyond the maximum allocated per time period
PingIntelligence For APIs
Are you prepared to detect and prevent an attack where an OAuth token gets hijacked or a set of credentials is exposed and used on an API as if it were valid account access? When a breach occurs, how do you trace the extent of the damage? This is where PingIntelligence for APIs comes into play. PingIntelligence is complementary to API Gateways and web application firewalls (WAFs). With PingIntelligence’s self-learning AI technology sitting alongside APIs and/or WAFs, PingIntelligence protects and reports on the API infrastructure in the following ways:
Deep API visibility – Discover APIs across environments and monitor all API activity
Automated threat detection and blocking – Detect, prevent and block advanced API attacks across clouds that would normally slide under the radar
Self-learning – Using a powerful AI engine, PingIntelligence models expected behavior of each API across environments to detect attacks
Reporting – Metrics gathered on APIs can be reported on with detailed audit trails at massive scale, and more importantly, attacks can be identified quickly and easily
MuleSoft + PingIntelligence
The powerful combination of MuleSoft and PingIntelligence not only provides peace of mind, it provides state-of-the-art protection and insight into APIs in any environment. MuleSoft’s Anypoint Platform API Manager does an excellent job of securing an API against known OWASP top 10 attacks. With the addition of PingIntelligence’s AI engine sitting alongside MuleSoft APIs, advanced and authenticated attacks beyond the OWASP top 10 are detected, reported on, and blocked. MuleSoft APIs and PingIntelligence are better together because the combination completes a total lockdown of an API environment with coverage of known OWASP top 10 attacks from MuleSoft and a last line of defense against unknown sophisticated breaches and API abuse from PingIntelligence.
It is simple and straightforward to start using PingIntelligence with MuleSoft APIs. As detailed in the documentation, the steps are as follows:
Install and configure PingIntelligence software
Install custom PingIntelligence policy on MuleSoft’s Anypoint Platform API Manager (policy provided by PingIntelligence)
Apply the PingIntelligence policy on an API in Anypoint Platform API Manager
Train and discover APIs across environments using PingIntelligence ASE and ABS
Forging a Path for Digital Transformation
Digital transformation is at the forefront of almost every modern company’s roadmap. To be confident in your digital transformation initiatives, you need a strategy that includes providing for robust API attack protection. Learn more about leveraging identity and intelligent cybersecurity for API data security.
About Big Compass
Big Compass helps some of the largest companies in the world get information where it needs to be, enabling valuable insights and driving competitive advantage for customers. We do this differently. We solve complex integration, data, and cloud problems by understanding our customer’s goals and technology challenges to see beyond the expected and imagine what’s possible. We then take the most straightforward path to an elegant solution. Big Compass builds a community of independently minded professionals who go above and beyond to build meaningful connections with the people and clients that surround us. Because we do, we develop strong bonds with our clients and, at the same time, we attract digital mavericks to our team of problem solvers.