Blog

What is API Security?

April 30, 2024 | 8 MIN READ

by Jeff Harrell

A stylized depiction of the API lifecycle.

API Security: Securing the Building Blocks of Our Interconnected World

Today’s world is software-driven and widely interconnected. From banking to social media, that software communicates through an intricate web of application programming interfaces (APIs). They are particularly crucial in creating links between online services, allowing for the rapid development and deployment of new applications, and enabling existing systems to expand their functionality with minimal changes. No matter an organization’s size or industry, it’s assuredly running numerous – often thousands – of APIs.

An API is a set of rules and protocols for building and interacting with software applications. It defines the methods and data formats that developers use when programming software components to interact with each other. Essentially, APIs allow different pieces of software to connect and communicate with each other without needing to know how they’re implemented. This abstraction enables developers to build complex systems more efficiently and makes it easier to integrate disparate systems.

This article discusses the following themes:

APIs have become the core communication method for today’s internet-connected systems. A recent report revealed that over 50% of dynamic internet traffic1 came from APIs. They are used to connect user-facing applications with back-end systems, internal applications to each other, and even to external organizations. APIs are well-documented and easy to use portals to the organization’s network and its critical customer and company data, which make them a common target of attack. If an API is compromised, the data accessible by that API – whether it be financial information, customer details, or other sensitive data – is at risk.

The security of APIs is essential not only for safeguarding sensitive information but also for ensuring that the services provided by APIs remain reliable and available. Effective API security controls prevent unauthorized access and data breaches, which are critical in maintaining user trust and compliance with data protection regulations.

Users typically interact directly with applications, while APIs are utilized behind the scenes for software-to-software connections. Application security protects the application itself, while API security focuses on APIs and their transactions with other APIs.

Applications used to be the primary entry point to an organization and its data, but the proliferation of APIs has added a new attack surface that attackers can exploit. While attackers may previously have focused on applications, they now often attack the underlying APIs directly. This has required organizations to employ API security controls in addition to the application security tools and processes they likely already had in place.

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving software security. It produces security reference frameworks of categorized security risks intended to be baseline security controls for application security practitioners to follow. One of the most well-known is the OWASP Application Security Top 10. It is a testament to the importance of APIs and their protection that OWASP now maintains a separate API Security Top 10 to help guide best practices.

The most recent version of the OWASP API Security Top 10 was released in 2023 and includes the following categories. As you can see, the risks are quite broad – security practitioners have their work cut out for them.

  1. API1:2023 – Broken Object Level Authorization
  2. API2:2023 – Broken Authentication
  3. API3:2023 – Broken Object Property Level Authorization
  4. API4:2023 – Unrestricted Resource Consumption
  5. API5:2023 – Broken Function Level Authorization
  6. API6:2023 – Unrestricted Access to Sensitive Business Flows
  7. API7:2023 – Server-Side Request Forgery
  8. API8:2023 – Security Misconfiguration
  9. API9:2023 – Improper Inventory Management
  10. API10:2023 – Unsafe Consumption of APIs

We’ve also written a deep dive into the OWASP API Security Top 10 if you’d like more detail.

There are several types of APIs developed over the years for different types of data and transactions. Some of the most common include:

  • SOAP – a mature, XML-based API architecture used when security and reliability are important, such as in financial services. It’s also complex and verbose and perhaps not an ideal choice when speed is a factor.
  • REST – an architecture built on top of HTTP methods that is widely-used by web services such as YouTube. It’s easy to implement, but not the best API to use for real-time data.
  • GraphQL – originally developed by Facebook, it allows clients to ask for specific data, eliminating over- or under-fetching. It’s fast and efficient, making it an excellent choice for applications with granular data requirements.
  • gRPC – a modern, high-performance architecture ideal for microservices.

APIs are designed for software to interact with other software, with no user interface or front-end. This means traditional forms of web and application security such as a Web Application Firewall (WAF) or API gateway.

  • Web Application Firewalls: As the name implies, WAFs focus on protecting the web applications themselves, not necessarily the underlying APIs. WAFs are still an important complementary part of a security program but shouldn’t be relied upon to protect APIs.
  • API Gateways: API gateways help organizations aggregate and manage APIs and provide basic security functions such as rate limiting and IP blocking. However, security is not their main function, and they are not a complete API security solution.

Every organization has different priorities when it comes to API security, but it’s important to view it holistically and address the full API lifecycle, from development to production. API security best practices include:

  • API attack surface discovery: What does a potential attacker see when they scan for potential APIs? API attack surface discovery can discover accidental and unknown exposure of APIs and related resources.
  • API inventory and risk assessment: Cataloging APIs goes beyond external attack surface discovery and can be a revelation for a security team, revealing just how many internal and external APIs exist across an organization. The inventory should determine not just which APIs are in use, but what department owns each one, and whether there are any known risks associated with them. Inventory and risk assessment should also be done continually to identify and assess new APIs as they come online.
  • API threat detection: There are numerous ways for attackers to take advantage of weak API authentication or any other API vulnerability. A good detection process will scan for business logic abuses, data leaks, and other common attack types.
  • API attack response: Controls should be in place to detect API attacks and general API abuse. Any API, even one that is coded perfectly, can be subject to an attack. Appropriate responses include mitigation such as logging, alerting, and blocking. Blocking should ideally be done natively, without relying on an external, third-party product that may not be able to handle the load that a full-on attack typically creates.
  • Pre-production and runtime application security testing: API security testing should be part of the DevOps process as part of a “shift left, shield right” strategy to ensure that APIs are secure prior to deployment, and stay that way after implementation.

No matter your industry or the size of your organization, there’s a good chance your level of API usage deserves a comprehensive response. Anything less could leave your vital applications and sensitive data vulnerable, as API attacks aren’t slowing down.

Malicious bots, or automated attack software, are one of the biggest threats to APIs, but bots can attack applications as well, so they’re not an API-only problem. However, bots are a major attack vehicle for APIs and a good API security program must include bot management. Common bot attacks include:

  • Account takeovers (ATO)
  • Fake account creation
  • Distributed denial of service (DDoS)
  • Gift card or loyalty program abuse

Many of today’s bot management solutions require client- or server-side code changes or are unable to handle the scale of today’s distributed bot attacks, so a successful API security and bot management program needs a solution that pushes beyond those boundaries. You can read more about bot management here.

It may seem daunting, but getting started with API security is best done by breaking it down into steps. Start by doing a lightweight, outside-in assessment of your public-facing APIs so you can see what an attacker would see. Then you can move on to full API discovery and inventory, protection, and security testing. A very low friction way to get started is with Cequence’s free API security assessment. Give it a try and take the first step on your API security journey.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles