API Security Best Practices: Top Defenses to Avoid Critical Security Threats

Kevin McAbee, Field CTO

Most businesses have been hearing it for some time now: APIs are the future, APIs are the way to go, APIs or bust. The main purpose of leveraging APIs is to allow other technology systems within your business and third-party vendors to access your data and generate business logic that is utilized for generating revenue, serving customers, and much more.

What many businesses don’t know though is that API security is an essential and mandatory part of securing critical information, whether that’s financials, personal employee data, client data, and customer data. This is important because whether you are opening, sharing, changing, or pulling sensitive data, you are leaving your business wide open to security breaches.

So whenever you have all of your APIs open and available, there are immediate measures you must take to limit unwanted access to your data. Here are the top three basic API security measures you must take for threat defense.

Top 3 API Security Basics for Threat Defense

1. Two-way Encrypted Communication

To prevent any “man-in-the-middle” attacks, communications must be two-way encrypted. It’s easy for people to see data moving back and forth or hack into routers, even if only one way is encrypted. The key is to make sure that whenever you are talking, even before passing credentials, you’re doing so through protected communication. It means having SSL (Secure Sockets Layer) or TLS (Transport Layer Security) and utilizing HTTPS (Hyper Text Transfer Protocol Secure). 

2. Authentication and Authorization

Once your communication is encrypted, you now have a safe way to take and share sensitive data, such as usernames, passwords, client IDs, and secret tokens. Authentication is only the first step. This is where you have your proper credentials and a password that is more complicated than “password.” Authentication is great, but just as key is authorization, which many businesses fail to check. 

Many companies know which individuals should have access to certain data, but are their APIs checking for the same? Is the data read-only? Can changes be made? Can data be shared? Are the right people the only ones who can do all of the above? The last thing a company needs is to have open access for every employee or third-party,  no matter what level they are at. In order to prevent this, there must be proper authorization.

3. Denial-of-Service Attack Prevention

Denial-of-service attacks is when someone can take and send enough requests at you in a short amount of time. Your system will not be able to process it and is going to timeout and crash. This is when you start getting into rate-limiting and throttling policies. Both are critical in ensuring that your APIs can only process so many requests per minute. You always need to set some kind of rate limit because that’ll prevent people from just hammering down requests and forcing a security leak.

However, the above are table stakes and only the beginning. Businesses really should be reviewing the OWASP Top 10 (https://owasp.org/www-project-top-ten/) security concerns and making sure their application networks are protected against attacks of all kinds. This includes data injection, using out-of-date components, missing server updates – the list goes on. Once you have that protection in place, the next step is to have a plan in place for ongoing monitoring. 

API Security Monitoring Best Practices

First is taking stock of what APIs and applications you have. Companies don’t realize that they might have a number of APIs running that nobody intended to run in the first place. Many businesses have servers with exposed APIs, third-party SaaS systems with the same, or even legacy APIs that most forgot existed. 

Best way to combat that? Find and test them. Listen to network traffic and sniff out offending systems or APIs. Even if you know an API and its specification (the communication contract), you should generate different permutations to see if there is a way to break it and get access to data you shouldn’t have. 

In essence, you want to have some type of system that can do ongoing monitoring that generates alerts and reports the speed back to you to say if everything is on lock-down and secured. Many businesses will throw their hands up at this saying they don’t have time, but API security and ongoing security monitoring are mandatory – not optional. 

If your team doesn’t have the expertise or bandwidth to ensure all of the above API security elements and have the capacity to do ongoing monitoring, our partner Noname Security specializes in this. Noname API Security Platform is the only solution to proactively secure your environment from API security vulnerabilities, misconfigurations, and design flaws while providing API attack protection with automated detection and response.

If you aren’t actively pursuing security measures, it’s only a matter of time until someone finds your company and you have a data breach. Simply put, don’t be that company.

To take the initial steps to secure your business, see our API Security Assessment & Remediation Plan offering. In just a few short weeks we’ll help identify your API security risk and provide a remediation plan to address the greatest risks to your business and technology roadmap.