5 API security best practices you should know

5 API security best practices you should know

If API security isn’t on your list of top web security priorities for the future — it should be.

And here’s why:

  • Gartner predicts that by 2022 API abuses will be the most frequent attack vector for breaching enterprise web applications. 
  • 60 percent of companies have on average more than 400 APIs and over half aren’t confident their security teams are aware of how all existing APIs being used in an organization.  
  • The average web application or API has over 26 serious vulnerabilities — a staggering number when you consider how many applications are used by organizations today.

GDPR is here and the consequences are realRelated Blog

The rise of application programming interfaces (APIs), especially in enterprise programming, opens up the potential for more doors being left open and more security holes that put companies and their customer data at risk. In fact, “underprotected APIs” is considered one of the OWASP Top 10  web application vulnerabilities.

In the past, security professionals were typically more focused on attacks that do large-scale damage, such as distributed denial-of-service (DDoS), malware, or ransomware. But the less obvious vectors like API exploits or browser-based threats are on the rise, and organizations could find themselves paying a high price if they fail to address the inherent lack of security posed by APIs.

Here are five core best practices that are essential for API security:

  1. Encrypt and authenticate. It goes without saying that you should be using HTTPS to secure APIs, but it’s also important to authenticate API requests. Even if a system has a public API, it is recommended to ask users to register for an account in order to provide them with an API key to access the API. This approach helps reduce any misuse of the system and enables you to track if one account is being used for many requests.
  2. Don’t encode sensitive information in the URL. Many traffic handling and security systems, such as proxies and network security devices, will log the request URL. If you encode sensitive data in the URL, it will contaminate your logs. Instead, you should send this information in the request body or use an HTTP header since these don’t get logged by traffic handling and security systems.
  3. Deploy an API gateway. If you have many APIs coming from different backend services, it might be helpful to consider implementing an API gateway. This is a service that sits in front of all your APIs and provides one public endpoint for all API requests. When API services are deployed this way, it allows for the centralization of policies, protection, and logging — giving you an added layer of protection.
  4. Use a web application firewall with API-specific rules. Since many API calls result in database calls on the backend, it’s important to have something outside of your own code that checks for malicious requests. Use a web application firewall with an API-specific rules to find and block common attacks.
  5. Consider a full-featured web app and API protection (WAAP) platform. The Instart Web App and API Protection platform combines protection for web apps and APIs, providing complete security from origin to browser in the form of a WAF, DDoS protection, API-specific protection, and sophisticated defense against automated bots. In addition, Instart provides unified threat intelligence to ensure that known malicious IPs are automatically blocked and stay up to date about the latest threats to keep your APIs safe.

API usage will continue to rise with the demand for businesses to deliver more dynamic application experiences. It’s essential that even as organizations leverage these capabilities that they remain educated and vigilant about potential security risks — and make sure new doors are closed behind you as they are opened.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo