Secure coding

Secure software deployment for APIs

January 16, 2023 by Gilad Maayan

Web-based APIs (application programming interfaces) are used by software-as-a-service (SaaS) applications, cloud systems, data services and many other types of resources, making them an important part of the Internet-facing attack surface for many organizations. 

The highly structured nature of APIs makes them ideal targets for automated attacks. Therefore, organizations must incorporate API security solutions into their application security policies to identify and block attempts to exploit web APIs.

Web application security is a priority for many organizations because APIs are commonly exposed to the internet and allow access to sensitive functions and data. Even internal APIs can be vulnerable to threats and must be appropriately secured.

Software deployment and API security challenges

Security is part of the Software Development Lifecycle (SDLC) and should be integrated into every stage of the lifecycle, especially software deployment. Security efforts for a software product starts when the first line of code is written and continue as long as the application runs in production. APIs are no exception. Let’s take a closer look at some of the key challenges of API security and how they can affect your deployments.

APIs are different

APIs behave and react differently than web applications, requiring different security strategies. In addition, every API is different, so you need a good understanding of the design, architecture and security stack to secure an API.

APIs also introduce new file formats, protocols and data structures. These new factors can make it easy for hackers to perform attacks like cross-site scripting (XSS) and SQL injection. Another concern is that APIs can inadvertently give attackers valuable information about an application’s backend functionality, for example, if error messages are too verbose.

External vs. internal APIs

Many organizations use service APIs — for example, APIs that provide access to public cloud environments or software-as-a-service (SaaS) applications. Service APIs have special security concerns because they handle large amounts of data and have unique authentication models.

However, internal APIs also need protection. It was previously thought that APIs accessed only within the network perimeter are inherently safe. Today it is widely understood that internal APIs are vulnerable to both insider and external attacks and must be fully secured — which may require an overhaul of the existing security infrastructure.

Limited visibility

DevOps teams are typically responsible for providing information about which API endpoints are in use and how they behave. However, this information is often lost in communication between teams in the organization or quickly becomes outdated, making it different for security teams to fully understand which APIs are in use.

Best practices for securely deploying APIs

Inventory your APIs

A digital transformation initiative can help accelerate the API development process, but securing APIs you don’t know about is impossible. Reviewing all new APIs to ensure they have proper security measures is essential. An AI analytics engine can evaluate API traffic and metadata to discover hidden or forgotten APIs, allowing security teams to map the API attack surface. 

API discovery and inventory help reduce blind spots to identify vulnerable APIs. When the team discovers APIs, it can apply the security checklist. You can also use the metadata analysis from the API traffic to perform threat detection.

Implement API access controls

Use authentication standards like JWT and OAuth to control API traffic. Define access control rules to determine the identities, groups, roles and attributes that can access each API resource.  

Applying zero-trust security principles for API transactions that pass through multiple networks is best. Use identity-based controls to allow each API layer to make decisions autonomously. The identities you propagate are also helpful for application security. 

Other best practices to ensure robust access control include:

  • Map the transitions from one token format to another when traffic crosses network boundaries — for example, opaque tokens in the public network and signed tokens in the private network.
  • Enforce authorization rules at every API silo.
  • Establish access controls for external applications and specify the scope of access granted to each.
  • Allow users to define and enforce privacy preferences (in addition to general data governance rules).

Use threat detection

Combining out-of-band and real-time threat detection helps increase visibility over API threats. Real-time API threat detection uses a WAF, API gateway or agent to apply validation rules. These rules apply to all API requests and responses, which can only succeed if they conform to the rules. 

API threat detection best practices include: 

  • Check for threat signatures (i.e., for SQL injections).
  • Use JSON paths and schemas to validate all incoming traffic against API definitions. The more restrictive the rules, the lower the likelihood of attackers abusing the API.
  • Set rate limits to protect the API back end.

Applying too many sequential layers can increase latency, slowing real-time threat detection and security responses. 

It is best to offload out-of-band API traffic analysis to an AI engine separate from API traffic paths. The AI engine can capture traffic metadata for creating machine learning threat models for specific APIs. This metadata also helps track API sequences, error rates, cross-token grouping, API keys, IP addresses and cookies. When the AI engine identifies an anomaly, it should tell the load balancer or API gateway to block the relevant API client.

Test API security

Implement continuous security tests focusing on APIs. Test cases should emulate an attacker’s techniques, such as skipping the client-side application to hack the API. Security testers can use tools like JavaScript and Postman. Another approach is to make API calls that your application normally wouldn’t make — these unusual calls could trick the API, causing it to return confidential data. 

Maintain incident response and auditing strategies

There is more to incident response than identifying and blocking API security breaches. Record the details about API traffic history to produce forensic reports for specific API keys, tokens, IP addresses or user identities. 

Create a forensics report to provide a complete picture of the security incident and all associated API activity. This report will facilitate future investigations and ensure compliance. It will also help repair some of the damage incurred before the security tools automatically detect and block the breach.

Importance of APIs

Here are some basics of API security and a few critical best practices that can help you securely deploy APIs:

  • Inventory your APIs – ensure you have visibility over all API endpoints deployed in your environment.
  • Implement API access controls – ensure all APIs, even internal ones, have strong authentication and appropriate authorization controls.
  • Use threat detection – APIs running in production must be monitored by threat detection technology that can help identify abnormal behavior.
  • Test API security – don’t assume APIs are secure; test them using automated tools like DAST, as well as manual penetration testing.
  • Maintain incident response strategies – breaches will inevitably happen, so ensure you have a practical, well-communicated plan for API incident response.
Posted: January 16, 2023
Gilad Maayan
View Profile

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.