The importance of API security is something that can’t be understated.
As businesses continue to leverage this technology — the average number of APIs per customer increased by 82% between 2021 and 2022 — they’re also opening themselves up to potential threats. Since the API ecosystem is so complex and varied, and traditional security models don’t effectively protect APIs, cybercriminals are enhancing their efforts to compromise them. In 2022, API attack traffic grew 117% in a year, and it hasn’t stopped there.
The motivating factors behind these attacks are varied. They include access to sensitive data that can be sold on the dark web, the possibility for ransom or extortion, espionage, and more. What’s also varied is the type of attacks being conducted. Because of the dynamic nature of APIs, many potential vulnerabilities can be exploited, including business logic gaps, broken authorization, distributed denial of service (DDoS) attacks, excessive data exposure, and security misconfigurations, to name a few.
So, what can businesses do to protect themselves? As we dive into a new year, here are five API security best practices for you to prioritize in 2023.
1. Strong API authentication and authorization
One of the biggest vulnerability factors in API Security is the lack of robust authentication and authorization methods. This makes it much easier for unauthorized users to access the API. Since APIs are often the entryway to sensitive information databases, strong authorization, and authentication functionality is critical.
Authentication and authorization are two functions that work together to ensure that the right individuals have access to the right information at the right time. Whereas authentication verifies the user’s identity, authorization verifies the user’s permission to access something. Authentication is typically deployed as part of an identity and access management (IAM) solution. Meanwhile, authorization can be executed via a token-based approach that uses a centralized OAuth server to issue tokens.
Let’s explore tokens a little further — you’ll find they’re an important part of the puzzle of API security for 2023. As indicated above, use a centralized OAuth server to issue tokens. An OAuth server can analyze client information and verify credentials to validate the legitimacy of clients or data accessing the API endpoints.
Other best practices include the following:
- Adopt tokens to confirm identities and authorize access to data and resources.
- Use JSON Web Tokens (JWTs) as access and refresh tokens — but only use them internally.
- For external or public clients, use opaque tokens. These can be created with techniques such as phantom token or split token patterns.
- Always verify incoming JWTs.
- Set up your API so that access is strictly verified and there are no opportunities for exploitation.
Pro tip: don’t try to reinvent the wheel here. Many resources and subject matter experts cover token technology and share best practices for adopting it appropriately.
APIs are particularly susceptible to DDoS attacks as they can be easily overwhelmed with excessive traffic of malformed HTTP requests. Rate limiting and API throttling are two methods that can help control the volume of requests made to a specific API and eliminate the risk of excessive data exposure — a valuable set of techniques as teams bolster their API security in 2023.
Rate limiting caps the number of requests a user can make within a given time period. On the other hand, API throttling limits the number of requests an API can process in a given time period. Used together, security teams can ensure that their API does not become overloaded with requests, which could impede its performance.
Zero Trust has rapidly become a staple of the cybersecurity and identity management spaces, and it can play a useful role in setting a framework for API security. The principal idea behind Zero Trust is that no user can be trusted. In other words, every user, access request, or communication should be fully verified — regardless of how often they access the API.
This can play out in several ways. For example, under a Zero Trust model, users accessing the API should always be authenticated and authorized. Authentication should be continuous to ensure that a user’s account hasn’t been compromised. In addition, organizations should use discretion in determining who really needs access to the API and establish authorization policies accordingly. Similarly, teams should follow the Zero Trust tradition of least privilege access and set clear parameters around what data is shared through each API.
Centralized visibility is another important feature of strong API security. In 2023, security teams should have a clear picture of their company’s API environment and the ability to identify shadow, zombie, and rogue APIs quickly. This requires continuous monitoring with an API runtime security platform and a regular cadence for auditing the status of every API. This will help identify problem areas and shed light on APIs being used in ways they shouldn’t, such as an internal API with access to corporate data integrated with an external application.
Note that the priority for your auditing programs should be APIs that process high volumes of data and complex authentication processes.
API security is a top priority for CISOs in 2023, so it should be. As your business continues to scale and develop by leveraging the API ecosystem, consider these five best practices to enhance your API security posture further.
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well-suited for writing in the cybersecurity space. She is also a regular writer for Bora.