In recent years, the proliferation of APIs has significantly changed the way enterprises operate. APIs enable different applications to communicate and exchange data with each other, allowing for more efficient and effective business processes and software development.
However, with the increased use of APIs comes the risk of API sprawl, where APIs are created and deployed across distributed teams and architectures, often without proper oversight and management. This can create a new set of security risks for enterprises, as each API represents a potential entry point for attackers to gain unauthorized access to sensitive data and systems.
The Rise of API-First Software Development
One of the main drivers of API sprawl is the proliferation of microservices. A microservices architecture breaks a larger application into smaller, individual applications that communicate with each other via API. This breaks complex applications into discrete parts that can be managed by individual teams and scaled independently of each other to meet traffic demands.
Microservices offer many advantages for developers, including increased flexibility and scalability. However, these benefits come with tradeoffs, including additional complexity. As a result, many enterprises adopt an API-first approach to building microservices. In this strategy, the design process for applications and services starts with an API contract that outlines how an API works, down to the format of requests and responses.
The Attack Surface Grows as APIs Proliferate
The benefits of API-first software development can be easily undermined by a failure to take API security seriously, especially during design and deployment. At the most basic level, more APIs mean more attack surface. While APIs play a vital role in modern software development, they are simultaneously becoming easier to exploit.
In 2018, Gartner predicted that APIs would become the most common attack vector for applications by 2022. If anything, their prediction of that much delay was overly optimistic. High-profile API breaches at major companies that affected millions of users were already occurring and have only become more common:
- In 2018, Facebook reported that at least 50 million users’ data was at risk after attackers exploited the company’s developer API to obtain personal identifiable information (PII) linked to users’ profile pages, including name, gender, and hometown .
- In 2019, LinkedIn reported that a hacker used data scraping techniques by exploiting APIs to collect over 700 million users’ information, which was posted for sale on the dark web.
- In 2021, an API maintained by Peloton allowed a malicious actor to request PII, including age, gender, city, weight, and birthdate.
- In 2022, Twitter addressed an API breach that exposed data from 5.4 million user accounts, including phone numbers and email addresses.
- In 2023, T-Mobile reported that an API breach had resulted in the theft of data for 37 million customers, including names, emails, addresses, phone numbers, dates of birth, and more.
The breadth and variety of these attacks reveals the challenges faced by security and engineering leaders. Some attacks exploit APIs that were incorrectly exposed to the internet. Others use API keys or other authentication methods that were incorrectly exposed in code repositories. Or attackers get access to internal environments through VPN exploits and use internal APIs to exfiltrate data.
Thwarting API Attacks Requires the Right Strategy and Tools
The most common way to protect against API threats is to combine traditional web application security strategies with modern API security techniques. Traditional strategies often fall short in the face of today’s varied API threats. Modern techniques like automated API discovery and API contrast testing attempt to close these gaps.
It is critical for enterprises to shield right (implement global controls and security policies to protect deployed apps and APIs) and shift left (build security into code to eliminate vulnerabilities before apps and APIs go into production). Neither strategy can provide comprehensive API security on its own, so the key to preventing breaches is a holistic approach that spans three categories of API security practices:
- API security posture management – Provides visibility into the security state of a collection of APIs, including types of data exposed and request methods
- API security testing – Evaluates the security of an API across key points in its lifecycle to identify potential vulnerabilities
- API runtime protection – Detects and prevents malicious requests from reaching APIs during operation
By combining the right strategy with the right tools, organizations can better protect their APIs from attacks and ensure the security of their software systems. Let’s look at the important functionality and tools that platform engineering leaders need to implement to protect APIs across their lifecycle.
API security posture management creates visibility into the number, types, locations, and data exposed by your APIs. This information helps you understand the risks associated with each API so you can take appropriate actions to protect it.
- Automated API discovery – Automatic and continuous API discovery for comprehensive visibility into APIs deployed in an environment
- API characterization – Identify and categorize APIs by protocol or architecture (REST, GraphQL, SOAP, etc.) and map sensitive data flows to understand your risk exposure
- API cataloging – Maintain a complete list of APIs to encourage software teams to re-use existing APIs, and to help SecOps teams build a complete view of your security posture
- Web application and API protection (WAAP) – Leverages a privileged global position in the API infrastructure to analyze traffic entering and leaving environments, identify APIs, and build a view of your risk exposure
- Inline or agent-based discovery – Attaches an agent to existing API gateways, load balancers, or Kubernetes Ingress controllers to mirror and analyze API traffic
- Out-of-band or agentless discovery – Uses traffic mirroring or exported logs and metrics to analyze API traffic; usually offers less visibility into APIs and threats than other technologies
- Domain crawlers – API security providers may offer crawlers that probe your domain for exposed API endpoints that are allowing traffic to bypass your API gateways and load balancers where security policies can be enforced
It’s important to keep in mind that no technology can reliably find every API in your architecture. Most discovery techniques rely on visibility provided by existing load balancers, API gateways, and Ingress controllers, and are not likely to catch misconfigurations that bypass these architectural components.
Ultimately, code review and following API-first best practices offers more effective long-term prevention. But automated API discovery tools are still useful for rapidly building a view of your security posture and for catching APIs that might otherwise go unmanaged and unsecured.
While API security posture management is concerned with enterprise-wide security, API security testing is very much about individual APIs. At its most basic, API security testing helps identify and prevent vulnerabilities and their associated risks by testing the API runtime – the application running behind the API. It helps ensure that basic security requirements have been met, including conditions for authentication, authorization, rate limiting, and encryption.
- API contract testing – Uses an API’s OpenAPI Specification to verify that it is performing as designed, by comparing client requests and server responses. It uses an “inside out” approach to discover whether APIs are vulnerable, before they are deployed.
- Dynamic application security testing (DAST) – Simulates attacks against an API runtime to find vulnerabilities, evaluating the API from the “outside in” like a malicious user.
- API contract testing software – Specialized tools for running tests that segment API requests and responses to verify that client and server behavior complies with the API contract
- Application security testing (AST) software – Tools that analyze and test applications, including APIs, by simulating attacks
There are both open source contract-testing tools and commercial products from dedicated API security vendors. The application security testing (AST) market has existed for decades, and increasingly many vendors offer dedicated scanning and testing tools for APIs.
API runtime protection refers to securing APIs as they operate and manage requests. It prioritizes building security into the platform infrastructure as well as the code of the APIs themselves. The objective is to identify and prevent malicious API requests that emerge after deployment.
- Access control – Enforce authentication (authN) and authorization (authZ) policies
- Network security – Encrypt and protect communications across the network
- Application protection – Protect API runtimes from malicious API requests and attacks
- Real-time monitoring – Visualize, trace, and mitigate attacks across API infrastructure
- API gateway – Applies and enforces security policies, including authentication, authorization, rate limiting, access control lists, and encryption
- Web application firewall (WAF) – Protects APIs and applications against sophisticated Layer 7 attacks by actively monitoring and filtering traffic based on attack signatures
- Identity provider (IdP) – Service that stores and verifies user identity, and typically works with single sign-on (SSO) providers to authenticate users
Not all API gateways and WAFs/WAAPs are created equal. Some services, particularly the native solutions available on cloud and other platforms, lack the global visibility and standardization required in multi-cloud and hybrid architectures.
API Security Best Practices
Given the importance of securing APIs, it is essential to approach API security in an organized way. Platform engineering and security leaders must work together to address security requirements across the API lifecycle. As we explored earlier, this roughly aligns to three main areas of practice: API security posture management, API security testing, and API runtime protection. In other words, you need to focus on knowing how many APIs you have, how to test them for errors, and how to build security into your code.
Like all cybersecurity, API security is an ongoing process that requires collaboration with many stakeholders, including network engineers, security operations leaders, platform engineering leaders, and software development engineers. The good news is that it’s no great mystery how to secure APIs.
Most organizations already have measures in place to combat well-known attacks like cross-site scripting, injection, distributed denial of service, and others that can target APIs. And many of the best practices described above are likely quite familiar to seasoned security professionals. No matter how many APIs your organization operates, your goal is to establish solid API security policies and manage them proactively over time.
Start your 30-day free trial of the NGINX API Connectivity Stack, which includes F5 NGINX Management Suite API Connectivity Manager to manage, govern, and secure APIs; F5 NGINX Plus as an API gateway; and F5 NGINX App Protect WAF and DoS for advanced API security.