Published: 20 November 2023
Contributors: Chrystal China, Michael Goodwin
API security refers to the practices and procedures that protect application programming interfaces (APIs) from misuse, malicious bot attacks and other cybersecurity threats. It functions as a subset of web security but with a specific focus on APIs, which are increasingly vital to enterprise IT management.1
APIs now serve as the building blocks of digital transformation, enabling companies to offer services to external developers and partners. Since APIs orchestrate communication and data exchange between apps, they can facilitate more connected user experiences, extend overall business reach and foster boundary-pushing tech innovation. APIs also streamline service integration so that businesses can adapt quickly to market changes and customer demands.
But as APIs proliferate, so do the security issues that often accompany them.
APIs sit between an organization’s IT resources and third-party software developers or between IT resources and individuals, delivering data and information at process endpoints. Because endpoints are shown to the external world, they can make APIs a lucrative target for various types of attacks.
Learn how both APM and ARM can enable faster decisions and resource application.
Register for the guide on observability
The evolution of API management and API security is intrinsically linked to the evolution of APIs themselves. Early APIs primarily focused on inter-process communication within a single system. As such, security (or the lack thereof) was less of a concern because communication was confined to a single machine.
However, with the advent of Internet of Things (IoT) and cloud-native microservice architectures, APIs expanded to enable seamless communication and call routing between applications and across DevOps environments. A modern, high-quality API—for example, representational state transfer (REST), simple object access protocol (SOAP)—proceeds to orchestrate app integration, specify data formats and dictate call types, procedures and conventions.
Web APIs—GraphQL, REST API and SOAP API, in particular—changed the landscape by expanding features to include wide-reaching integration capabilities across myriad complex networks.
But because advanced technologies depend heavily on API endpoints for functionality, businesses and security teams must implement robust security measures to protect data and web services and ultimately get the most out of IT resources.
If not properly secured, API endpoints can allow malicious actors to gain unauthorized access to sensitive data, disrupt service operations, or both, with potentially devastating consequences. Common threats include:
- Authentication-based attacks—where hackers try to guess or steal user passwords or use weak authentication mechanisms to gain access to API servers.
- Man-in-the-middle attacks—where a bad actor steals or modifies data (for example, login credentials or payment information) by intercepting API requests or responses.
- Code injections/injection attacks—where the hacker transmits a harmful script (to insert false information, delete or reveal data, or disrupt app functionality) through an API request, displaying weaknesses in the API interpreters that read and translate data.
- Security misconfiguration—where sensitive user information or system details are exposed due to inadequate default configurations, overly permissive cross-origin resource sharing (CORS) or incorrect HTTP headers.
- Denial-of-service (DoS) attack—these attacks send scores of API requests to crash or slow down the server. DoS attacks can often come from multiple attackers simultaneously in what is called a distributed denial-of-service (DDoS) attack.
- Broken object level authorization (BOLA) attacks—occur when cybercriminals manipulate object identifiers at API endpoints to widen the attack surface and gain unauthorized access to user data. BOLA attacks are especially common, because implementing proper object-level authorization checks can be difficult and time-consuming.
In a dynamic digital economy, APIs are critical to business agility, but their open nature can pose significant data security risks. API security breaches led to massive data leaks, even for large, reputable corporations like John Deere, Experian and Peloton.2
And in such a global tech environment, security vulnerabilities threaten all major service providers, regardless of industry or geographical location. As one example, a 2022 API attack on Australian telecoms company, Optus, exposed the names, phone numbers, passport details and driver’s license information of nearly 10 million customers.3
These incidents underscore the importance of API protection and accelerated the development of comprehensive API security strategies and tools.
Implementing stringent API security protocols protects the data, apps and services that API endpoints show and protecting their availability for legitimate users at the same time. API security isn’t just about protecting endpoints, though. It also prioritizes the security of network interactions like data transmissions, user requests and inter-app communications across the API lifecycle.
Some of the most common API security solutions for shoring up IT infrastructures include:
Authentication is the process of verifying the identity of a user, system or process. In the context of APIs, it refers to the use of user authentication protocols—like OAuth 2.0, API keys and JWT specifications—to make sure that a requester is who they claim to be.
In contrast, authorization is the process of verifying what an authenticated user has access to. Once a user is authenticated, role-based access controls should limit user access strictly to the resources they need or request.
With encryption, plain text and other types of data are converted from a readable form to an encoded version that can only be decoded by an entity with a decryption key. Using encryption technologies like transport layer security (TLS), SSL connection and TLS encryption protocols, teams can ensure that API traffic won’t be intercepted or altered by bad actors or unauthorized users.
Input validation protocols protect APIs against malicious data, like SQL injection attacks and cross-site scripting, by making sure the inputs meet certain criteria (length, type, format, range, etc.) before they’re processed. Utilizing web application firewalls (WAFs) and XML or JSON schema validation can help security teams automate validation processes, preemptively analyzing incoming requests and blocking malicious traffic before it reaches the server.
Rate limiting secures API resources against brute force and DoS attacks by restricting the number of calls a user or IP address can make within a particular timeframe. Rate limits ensure that all API requests are processed promptly and that no user can swarm the system with harmful requests.
Like rate limiting, throttling restricts the number of API calls a system receives. However, instead of operating at the user/client level, throttling works at the server/network level. Throttling limits and quotas secure API backend system bandwidth by limiting the API to a certain number of calls, messages, or both, per second.
Security headers can be particularly effective for preventing clickjacking attacks. The “content-security-policy” header, for example, tells the browser which resources it can request from the server. The “x-content-type-option” header stops browsers from trying to MIME-sniff content types and the “strict-transport-security” header enforces secure (HTTP over SSL/TLS) connections to the server.
Installing API gateways is one of the easiest ways to restrict API access and add an additional layer of network security, especially in the case of open APIs. An API gateway acts as a single point of entry for all API requests a system receives, standardizing API interactions and offering security features like caching, analytics, API composition, rate limiting, encryption, logging and access control.
Keeping comprehensive, up-to-date audit logs—and reviewing them often—allows organizations to track data access and usage and record every API request. Given the complexity of API ecosystems, staying on top of API activity can be quite labor-intensive, but auditing and logging procedures can save time when teams need to retrace their steps following a data breach or compliance lapse.
Proactive error handling in API environments can prevent cybercriminals from revealing sensitive information about API processes. Ideally, any API error will return HTTP status codes that broadly indicate the nature of the error, providing sufficient context for teams to understand and address the problem without risking excessive data exposure.
As with any software application or system, vigilant real-time monitoring and maintenance are essential to maintaining API security. Keep a watchful eye for any unusual network activity and update APIs with the latest security patches, bug fixes and new features.
Organizations should also adopt timely security standards like the Open Web Application Security Project (OWASP)’s API security recommendations. The OWASP API Security Top 10 list, for instance, offers a framework for understanding and mitigating the most critical and common API security threats, like broken authentication, mass assignment and server-side request forgery.
Every new version of API software comes with security updates and bug fixes that shore up security gaps in earlier versions. But without proper versioning practices, users can accidentally (or intentionally) deploy an outdated version of the API and put sensitive data in harm’s way. Attentive versioning and documentation practices allow companies to accelerate API development and phase out older API versions without disrupting services, pushing users toward newer, more secure iterations.
For instance, if a team discovers a security flaw in v1 of an API, they can fix it in v2. And with versioning, security teams can encourage users to migrate from v1 to v2 at their own pace, while making it clear in the version documentation that v1 has a known security vulnerability.
Security testing requires developers to submit standard requests using an API client to assess the quality and correctness of system responses. Conducting regular security tests to identify and address security gaps helps teams fix API vulnerabilities before attackers have the chance to exploit them.
IBM API Connect is a full lifecycle API management solution that uses an intuitive experience to help consistently create, manage, secure, socialize and monetize APIs, helping power digital transformation on premises and across clouds.
IBM API Connect offers a range of capabilities to secure, control and mediate access to your APIs. Control access to APIs through authentication and authorization that use OAuth, OpenID Connect and third-party services. Deploy anywhere, from a DMZ to colocated with your cloud-native apps and microservices, protecting access at runtime, anywhere.
Increase API security across your enterprise with advanced AI-powered capabilities. IBM, a leader in API management and application gateways, is collaborating with API security leader Noname Security to deliver advanced API security capabilities. This joint solution helps you reach new levels of security confidence.
Maximize API value to drive digital business with a comprehensive API management solution.
These tutorials provide hands-on instructions that help developers learn how to use the technologies in their projects.
Come for answers. Stay for best practices. All we’re missing is you.
Footnotes
1 Research Brief: The Urgency of Addressing API Security in an Application Security Program (link resides outside ibm.com), Enterprise Strategy Group, October 16, 2023.
2 On the Radar: Wib secures APIs throughout their full lifecycles (link resides outside ibm.com), Omdia, September 1, 2023.
3 The next big API security breach looms: here’s how to prepare (link resides outside ibm.com), SC Magazine, October 19, 2023.