Building an effective enterprise API security strategy with a plan-first, product-second approach
How do you develop an effective API security strategy? It takes a group of open technologies that come together to execute on a unified strategy consisting of an API Gateway (gatekeeper) and an API Specification (guardian).
Introduction
These days customers expect the same functionality and data to be accessible from any device. With more than 83% of internet traffic enabled by them—it’s no wonder the modern IT landscape is API-driven. But as soon as APIs are made available publicly, they are immediately vulnerable to attack. 95% of companies have had an API security incident in the past 12 months, with API attack traffic growing by 681%. But it’s not only data breaches that should cause concern. API security issues slow down release cycles and application rollouts, and eventually hit profits. According to IBM, data breaches longer than 200 days averaged a loss of USD 4.86 million. API security is a hot topic! And you’re likely reading this because it’s a primary concern for your organization.
So where to go from here? After all, you’d assume no one size fits all: enterprises are all at different stages in their API strategy roadmap. In different industries. And with security infrastructures that vary based on their API maturity. But here’s the kicker: whether you have an API department with 60 developers and hundreds of live apps or are just starting out—the tools you use for your API security strategy should look the same. API management used to be something that only the "big guys" needed—but now, the need for security policies enforced by API gateways and other tools is universal. By securing the exposed layers of an API using API security solutions and API management best practices, you can mitigate attacks and protect your organization, customers, data and bottom line.
State of API security
APIs have become a victim of their own success, and their growth is overtaking security teams’ abilities to manage them. According to “State of API Security Q3 2022” by Salt, malicious traffic accounts for 2.1% of overall API traffic.
API security refers to the protection of APIs through procedures and security measures that aim to diminish and prevent security threats and attacks. But adversaries are getting smarter all the time. And staying on top of how attackers are shifting their behavior is very important.
Shifting behaviors in API attacks
With every mobile app requiring cloud-native applications, APIs are a common vector for attack. But where this attack might happen in terms of the API lifecycle is perhaps even more relevant. Currently (2023), attacks are moving from endpoints and users to developers and the enterprise business logic—which has significant implications for your development teams if no standard security specifications are in place.
The OpenWeb Application Security Project (OWASP) is behind the “Top 10 List API Security Risks” and provides an unbiased source of information on mitigating ten specific API security vulnerabilities. It summarizes these vulnerabilities as:
- Broken Object Level Authorization, BOLA (see below)
- Broken Authentication
- Excessive Data Exposure (see below)
- Lack of Resources & Rate Limiting
- Missing Function/Resource Level Access Control
- Mass Assignment
- Security Misconfiguration (see below)
- Injection Flaws
- Improper Assets Management
- Insufficient Logging & Monitoring
Common vulnerabilities and implications for your strategy
Vulnerability 1: Security misconfiguration
Security misconfiguration is the most frequently reported security issue and is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must also be patched and upgraded in a timely fashion. These vulnerabilities often arise due to human error.
The implication of this for your API strategy?
While human error is tough to protect against, API Gateway security can shift some of that responsibility to shared and global security policy definitions. These can then be applied to large collections of APIs—thus avoiding this security issue altogether.
Vulnerability 2: Excessive data exposure
APIs should not return more data than is required. This data isn’t usually displayed to the user but can be easily “sniffed” by a web proxy. For example, when fetching user info, the (hashed) password should never be included. But sometimes it is—amounting to excessive data exposure and possible breaches. With deliberate design you can define what data you want to return and can validate that the code does not return any excessive data.
The implication of this for your API strategy?
API gateway security can apply data transformation and data masking features to your APIs. But you’re also going to need an API specification that ensures excessive data exposure is coded-out at the design phase.
Vulnerability 3: BOLA
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface-level access control issue. Object-level authorization checks should be considered in every function that accesses a data source using an input from the user. Ultimately, it’s critical that users can only view the data they are meant to. But this puts pressure on your team to improve not just application development but maintenance productivity too.
The implication of this for your API strategy?
API Gateway security can provide a highly granular level-of-access control necessary to prevent penetration. But you’ll need to combine this with an API Specification that ensures security lives in your APIs post-production too.
Building an effective enterprise API strategy
How do you develop an API security strategy? Fools rush in: And it’s important to wrap your head around some basic questions first.
- Governance: Do you know and leverage your API security resources? Do you have a centralized approach to securing all your APIs across the landscape?
- Proliferation: Do you know your API landscape? What APIs have you got out there? How are they secured and being used?
Not certain of all the answers but looking at API security solutions to help you start clarifying them? Be careful. There are currently thousands of API security solutions on the market. And 21 leading full API lifecycle global vendors. If you start extending your API portfolio without a clear strategy, you’re at risk of incurring not only technical debt but spending hours and hours on security development time on a per API basis instead of establishing a scalable strategy.
To build an effective API strategy you’ll need to follow a plan-first, product-second approach. That’s because API security isn’t a single solution: It’s a group of technology that come together to execute on a unified strategy in which governance and proliferation are aligned. (see diagram below).
Protecting the complete API lifecycle
Of course, the rewards of API-led innovation require you to open your APIs to third parties in today's API-connected world. However, even the most creative, comprehensive and best-managed API strategy is still vulnerable to the latest and greatest malicious threats by unauthorized intrusions and hacking.
Your unified strategy should take a two-pronged approach: Firstly, it should include an API Gateway—as its cornerstone and secondly it should be managed using an API Specification—that extends across the entire API lifecycle—increasing security by plugging in other specialist tools as required.
Here’s both explained in more detail:
1. The API Gateway for central governance
Securing APIs individually is a difficult, time-consuming endeavor, and runs the additional risk of inconsistent security between APIs. Moreover, it hampers your ability to adapt your security posture to defend against emerging threats. This is where an API Gateway becomes a valuable tool in API defense. Your API Gateway is the security and policy enforcer for APIs and their internal applications and systems. The cornerstone of your API security strategy, the API Gateway standardizes your protection policies and governance across your API landscape. A powerful API Gateway understands what paths and operations are available to it and will automatically block any others: This makes it both guardian and gatekeeper.
The first step in your strategy should be to implement an API Gateway that forces your clients to access your APIs strictly through that gateway. This is easily accomplished by configuring your firewall to only allow access to your API endpoints from your gateway or gateway cluster. Forcing all API calls to come through the gateway provides a consistent security layer across APIs, along with centralized monitoring.
2. The API Specification for security across the full development lifecycle
The API Specification is essentially a contract that prescribes what the API does and how you can use it. It can be machine-interpreted for code generation, best practices validation, and conformance scanning (does the code do what the contract says and nothing more) as examples. There are tools for both design-time and run-time that interpret the same contract to validate and test different things and inform API developers and owners. The spec is created during the design phase, and then used in all following stages of the lifecycle.
Design-time
“Shift Left” refers to shifting your security focus to the beginning of the API lifecycle process and to integrate it into the design and development of an API which works to help protect it in every other step of the API lifecycle all the way to the retirement of an API. If a potential vulnerability can be discovered and fixed before your API is published, you will also have eliminated potential runtime threats to your APIs.
A collection of powerful design-time tools ensure that API implementation happens securely, and this security is enforced at both a spec and code level. It should cover static analysis, testing, and pen and conformance testing e.g. investigation into whether the code does in fact do what it says it does.
Run-time
“Shield Right” refers to shielding your APIs at run-time and beyond. A good API gateway provides run-time protection for your APIs through its strong gatekeeper capabilities. While a seamless integration between an API Gateway and other API security products can provide a holistic API security solution that work together to provide a defense against unknown attacks using a combination of AI/ML and defined algorithms and policies.
About Software AG’s webMethods API Management
As one of the leading providers of API management and integration solutions in the world, Software AG understands the importance of implementing a high-quality API security strategy. Continuous analyst recognitions in API Management reflect our reputation for powerful performance, an open-standards compliant ecosystem, and a strong vision in the marketplace. Here’s why the three of these are essential when it comes to mapping out your API security strategy:
Powerful performance:
As a baseline measurement, the webMethods API Gateway provides complete protection against the Top 10 API Security Risks identified by the OWASP.
- Secure by design: The webMethods API Gateway secures the traffic between API requests and the runtime execution of your services in the Gateway. It provides protection from malicious attacks such as Denial of Service (DoS) based on IP address, specific mobile devices and even message volume. webMethods API Gateway also provides virus scanner integration, eliminating the need for additional inbound firewall holes using Software AG’s reverse invoke, or inside-out, service invocation technology. It also protects your organization from security threats with DMZlevel protection. Discover more here.
- Centralized: The webMethods API Gateway provides a highly granular level of access control necessary to prevent access control issues, including attacks such as BOLA. The Gateway enables you to control access to resources and methods via scope level policy definitions. As well as configure threat protection policies such as; Global denial of service policy, Denial of Service by IP policy, and—what we term—filterable “rules”—which allow you to apply a rule to all request types, or specify either REST, SOAP, invoke, or a list of custom resource paths. Discover more here.
- Simple: The webMethods design tooling module makes it easy to put together your specification. And enables you to bring in and connect with other powerful API security technologies of your choice across the API lifecycle to standardize and scale your secure enterprise business logic.
Open standards-compliant ecosystem:
Of course, there are limits to what any API Gateway can do on its own: And products don’t live and work in isolation in organizations. That’s why Software AG helps you to develop an API ecosystem strategy—reinforcing our offering with an added API security layer combing from other sources (see below.)
The webMethods API security solution is built according to open standards and can integrate with other API security products to align with your organization’s cybersecurity strategy. The same also applies to securely exposing your APIs to third-party developers, stakeholders and other consumers.
Third-party solutions that we connect with enable you to analyze traffic patterns using artificial intelligence and new advanced technologies. Other solutions allow you to analyze traffic information and trigger actions in, for example, a ticketing system. With full interoperability, this information can then be fed back into the API Gateway to create dynamic security policies.
Software AG also has three strategic partnerships with leading edge API security businesses vendors—all thought leaders in the current market. More information here:
- About Cequence Security: The Cequence API Security Platform offers a prevention first approach that unifies inline API threat prevention, holistic API discovery, inventory tracking, risk assessment and remediation. Cequence uses behavioral fingerprinting to prevent attacks natively, eliminating any reliance on third-party tools such as a Web Application Firewall (WAF). The Platform has proven to be effective in eliminating data governance violations caused by unintended data leakage and preventing online fraud, business logic attacks, and exploits, which helps F500 customers remain resilient in today’s ever-changing business and threat landscape.
- About Salt Security: Salt Security protects the APIs that form the core of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform provides API design analysis pre-production, learns the granular behavior of a company’s APIs for runtime protection, and requires no configuration or customization to pinpoint and block API attackers.
- About Noname Security: Noname Security is taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and Secure API SDLC. The D.A.R.T. API Security Methodology, is a framework which makes it easier for businesses to discover, analyze, remediate, and test all of their APIs.
Strong vision in the market:
Software AG’s analyst recognitions are a reflection of many things, starting with strong vision and roadmap and extending to our focus on governance and security.
Gartner
In Q3 2022, our webMethods API Management suite was once again voted Leader in Gartner’s Magic Quadrant for Full Lifecycle API Management. Compare the 17 full Lifecycle API Security vendors here and read the full Gartner report here[14].
Similarly, webMethods API Management is positioned as a Leader in The Forrester Wave™: API Management Solutions, Q3 2022. Compare 15 of the most significant API management providers against a twenty-six-criterion evaluation.
The webMethods API Management platform is a good fit for a wide range of API strategies, especially for customers with the strong governance and discipline necessary to ensure strategic success of their API program.
Summary
To build an effective API strategy you’ll need to follow a plan-first, product-second approach. That’s because API security isn’t a single solution: It’s a group of technology that come together to execute on a unified strategy in which governance and proliferation are aligned. Your unified strategy should take a two-pronged approach:
- Firstly, it should include an API Gateway—the cornerstone of your API security strategy
- Secondly, it should be governed using an API Specification—that extends across the entire API lifecycle. And increases security by plugging in other specialist tools as required
With cybercrimes continuously surging, freeing your data, while protecting your APIs from unauthorized access, requires multiple capabilities spanning design-time through to run-time. This in turn demands an open solution that can connect with third-party API security providers—working together with them seamlessly to ensure rules are followed and smart security intel fed back into the cycle.
Securing APIs and data is a highly complex challenge—it’s not something your API developers can do. But, with the right strategy and solution, it is something your API developers can easily manage. Leaving your organization free to scale at speed without compromising quality.