Organizations that experience a data breach can suffer reputational damage and a public relations nightmare. With new regulations such as GDPR, massive fines are added to the mix of consequences. Protecting against such attacks, therefore, is top of mind for today’s digital businesses—and the growth of APIs has made them a primary focus.
The objective of API security is twofold: You seek to prevent data breaches flowing through the API, as well as disruptions to its own operation. An application’s APIs are not the only logical components targeted in a sophisticated data breach, but for most applications, the API is the channel through which data flows.
This applies to mobile apps and web apps, for example. Consider the many incident reports that mention access tokens being compromised. Attackers leverage these tokens to access data that they are not entitled to by calling an API with them. Even if your API is not productized in any way, it is a hacker’s most attractive attack vector and the likely starting point to an attack plan.
This article reflects on 16 years of experience implementing API security at various enterprises. By sharing lessons learned from notorious hacks and exploring the prospect of emerging security patterns leveraging machine learning, it aims to show you how to shore up your API security and help prevent costly data breaches.
NOTE: REST APIs show up everywhere in your architecture, but this article focuses on measures that need to be applied to your first-line API, the one used by the user-facing app. You are as secure as your weakest component, however, and security best practice needs to be applied at all layers of your application. For example, if you fail to properly secure your MongoDB or Elasticsearch backend running on a public cloud, your associated first-line API security measures will count for little.