API Security Best Practices for CISOs
Application programming interfaces (APIs) have been used for decades; However, the use of APIs has grown exponentially alongside increasing enterprise digitization initiatives over the past few years. Nathan Richietechnical director at Salt Security walks us through the API security best practices that CISOs need in their playbook to be successful.
APIs enable digitization and power the applications that define our online lives, including weather widgets, “connect with” technology, mobile banking and third-party payment apps. Internal use of APIs has also exploded, with many of the world’s largest organizations now relying on APIs for routine business functions.
Despite their benefits, APIs pose significant security risks. API Security Status Report revealed that in 2021, overall API traffic increased by 321%, but API attack traffic more than doubled – by a staggering 681%.
Many companies, including Facebook, LinkedIn, Platoon, and Starbucks, have experienced API security incidents. In the worst-case scenarios, these attacks can cause irreparable damage to a company’s reputation and loss of revenue. Yet despite these risks, APIs remain poorly protected, and previous research has found that more than a third of organizations have no API security policy in place.
Learn more: The Cost of Innovation: Do New APIs Compromise Security?
API Security Best Practices
Although the task often seems overwhelming, here are some basic steps you can take to keep your API secure.
1. Establish the right safety culture
Culture and relationships are an often overlooked aspect of cybersecurity, including APIs. Many security issues stem from a lack of awareness and understanding of business risks. CISOs can be instrumental in fostering a cross-functional security mindset within an organization. Relationship building is an integral part of securing APIs. Security teams need to build and maintain good relationships across their organizations.
Once relationships are established, it’s easier to tighten API security without making anyone’s job harder. Healthy relationships encourage collaboration, enabling security teams to move from a reactive to a proactive approach. Instead of telling other employees what they can’t do, they can provide them with responsive answers, solutions, and tools that can fix problems before they arise.
2. Get a complete picture of your APIs
Modern APIs have enormous reach. They are at the heart of all areas of an organization, from infrastructure to customer experience and everything in between. They also belong to different teams. Engineering has a part, product has a part, and so on.
To complicate matters further, a single organization often uses multiple types of APIs. These may include:
- Business to consumer (B2C)
- Business to business (B2B)
- Business to employee (B2E)
Being aware of the unique, complex, and often disparate nature of APIs is critical to their security. Attacks on different APIs vary, which means that security teams must validate their security measures differently within each channel mentioned above.
To ensure full awareness, cataloging your APIs is crucial. If you lack visibility into your APIs, you can’t protect them. CISOs should have an accurate and baseline inventory of their APIs covering all of their environments.
Because APIs are built so quickly, any inventory must be consistently generated and updated continuously and dynamically. You need automation to ensure you have a complete picture of your APIs. Without a complete picture, you cannot know your potential risk and exposure.
3. Make API security its own agenda.
When it comes to APIs, security should not only be at the forefront of the CISO’s attention, it should be tightly tied to the entire process and pipeline. Establishing and enforcing best practices across an organization goes a long way in mitigating risk.
Last year, Gartner confirmed what we already knew; API security is its own distinct and essential category in securing platform services. It is therefore essential that it be treated as such. API security should be its own program, with its own training and management. Like many other cybersecurity disciplines, security teams should start with API security, not add it as an afterthought.
4. Choose dedicated API security tools
Until recently, the use of APIs was more limited and their capabilities were also relatively limited. However, APIs are growing exponentially in both volume and capacity – they have a huge and ever-expanding footprint.
The shift to the new API landscape has been drastic for many organizations. They went from minimal API development to huge, publicly available development in a matter of years. The growing attack surface has created new security risks, and
traditional solutions don’t provide the runtime information and security controls needed to protect APIs from attack.
Tools like WAFs, for example, lack identity context and don’t provide the visibility required for API security management. While WAFs protect against direct attacks such as cross-site scripting, they fail to identify or prevent today’s API-based attacks.
Because APIs aren’t just code, you need to see them being used to spot logic flaws. You need to be able to monitor them during runtime to spot anomalies and find areas where APIs could expose critical data. Observing patterns in the runtime environment gives organizations the best context for API security to identify malicious activity.
While upgrading your tools and solutions can be costly, a potential cyberattack far exceeds the cost of any security tool. It’s not just about the money spent securing your network and paying ransoms or even fines – a successful API attack can disrupt revenue streams and cause significant reputational damage.
Learn more: Using a Least Privilege Framework to Boost DevSecOps
Key points to remember
In short, securing your APIs requires a four-pronged approach:
- Establish and maintain a healthy and collaborative safety culture.
- Make sure you are aware of everything your APIs with a dynamically updated inventory.
- Prioritize security and recognize API security as a unique and distinct category.
- Choose dedicated security tools that provide contextual visibility into the entire API lifecycle.
The attack surface of APIs is constantly evolving, and securing it is both a relentless and difficult task. CISOs who recognize this reality and follow these best practices will be well on their way to a robust and resilient API security program.
Do you already follow any of these best practices for API security? Tell us about LinkedIn, Twitter, Where Facebook. We would love to know!