Application programming interfaces (APIs) are causing an increasing amount of concern for operating systems, applications and websites. They have empowered many businesses to increase their value, hence their rise in popularity, but of concern is the adequacy of security measures to protect those businesses using APIs.
This issue has even been brought to the attention of global non-profit organisation Open Web Application Security Project (OWASP), which is committed to improving software security and makes it a primary mission to ensure software security is visible. The organisation issues a top 10 standard set of rules that are applied to security policies across various platforms. The most recent list presents notable changes that reflect these increases, with a focus on how APIs can both help, and hinder, security efforts.
Why is API security important?
APIs contain programming standards, instructions, and protocols that allow two applications to communicate with one another. Essentially, APIs serve as a bridge that ensures proper and consistent communication between two systems.
Millions of applications communicate back and forth on a daily basis, which is why API security is a crucial part of API development. With the cloud API market predicted to experience a 20% CAGR by 2022, and considering the steady rise in the cyber threat landscape, it’s very easy to understand why it’s of vital importance that companies develop and implement thorough API security measures.
While most APIs do have some governance in the form of management tools, thought also needs to be put into the design of an API, and formulating controls that can be implemented across the organisation.
Improving your organisation’s security
Systems that host public APIs must manage heavy traffic loads daily. Although most of the traffic is legitimate, some of it is not. The best way to protect your system without overburdening the legitimate users is to evaluate the behaviour and identify potential problematic traffic.
API security works in the same manner by using rules and algorithms that evaluate client sessions. APIs ask simple questions that gauge how clients are behaving, what they are doing, and whether there are unusual error rates or repetitive behaviour in short periods of time.
Machine-based mechanisms are often used to answer these questions to identify and deter malicious API client practices. Standard web approaches typically don’t function properly with APIs, simply because hackers continuously work to develop new attack methods. Hackers know that standard DDoS attacks don’t work, therefore they distribute hacking attempts across bots that hide alongside legitimate traffic to sneak them through the system undetected.
To find these bad apples, it’s necessary to set up a machine learning-based system that understands API traffic extremely well, with a thorough understanding of API keys, access tokens, and what the typical request context is on any payload.
What you can do right now
There are several actions you can take immediately to protect your system from potentially damaging attacks. Start by using HTTPS, if you’re not already, to ensure proper authentication and authorisation. Then adjust your Software Development Life Cycle (SDLC) so that it includes rigorous API security testing and validation, primarily focusing on input validation.
Also make sure that all servers are running on regularly-patched OS versions that are stable and include carefully configured security groups. Role-based access control and VPC isolation across environments can also help prevent attacks and improve responses.
Finally, having a pre-documented response policy for security incidents will help your company establish a secure development environment that is properly maintained at all times.
Performing routine API audits and testing will help you continually improve the API development and ensure your web services are protected against DDoS attacks and malicious bots — without sacrificing the experience of legitimate API traffic. Employing these techniques will help you validate API requests and determine which ones are legitimate in order to reduce or completely eliminate API attacks.