Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
01:00 PM
Ryan Nolette
Ryan Nolette
Connect Directly
E-Mail vvv

5 Objectives for Establishing an API-First Security Strategy

With APIs predicted to be the most common attack vector by 2022, an API-first security strategy is critical now more than ever.

Application programming interfaces (APIs) are at the center of just about everything in the digital world. For consumers, APIs underpin everything from smartphone apps to electronic payments and more. For enterprises, APIs have enabled the shift from inefficient monolithic application architectures to more agile and modular microservices architectures that are fast becoming the standard for emerging technologies.

It's fair to say that almost every piece of software built today either uses an API or is an API. And our reliance on these crucial pieces of code to share information between applications and systems has only grown with the increased use of remote services and applications due to the pandemic.

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

When thinking about how APIs enable remote work, look at communication tools like Slack that depend on APIs for many features and integrations. Even a task as simple as scheduling a videoconference with a colleague is made possible by API-driven services. As APIs continually become more convenient for those with less technical training, the knowledge barrier to entry will keep getting lower.

As APIs' popularity rises, so does their prevalence as an attack vector for cybercriminals because bad actors have always loved the most target-rich technologies. When each API request is another opportunity for hackers to exploit, API security is crucial.

Gartner forecasts that APIs will become the most common attack vector by next year. Yet despite higher awareness of the need for API security, breaches continue to happen.

Credit: NicoElNino via Adobe Stock
Credit: NicoElNino via Adobe Stock

Given this context, the time has come for organizations to adopt an API-first security strategy. Companies should be mindful of the enormous — and ever-increasing — amount of data they're transmitting through APIs and make more robust security a priority at each stage in the API development life cycle.

What does an API-first security strategy look like? Here are five observations:

1. High visibility is crucial. An API-first approach is all about acknowledging the API as a first-class citizen in an application's design. Given the increase in vital work that the API does in communicating between applications, APIs must have the same scrutiny of access controls that a superuser (e.g., an IT administrative specialist with unlimited privileges) would.

That means an emphasis on visibility and accountability. If you can't see it, you can't account for it, and thus more visibility controls are needed for API security. The good news is organizations don't need to reinvent the wheel to get started. Web application firewalls (WAFs), OWASP vulnerability scanning tools, and smart use of Transport Layer Security (TLS) and proper authentication can all provide a consistent set of controls and visibility.

2. REST APIs are a growing target. REST (REpresentational State Transfer) is the duct tape of technology — it defines how systems can be connected to (and interact with) each other by using HTTP requests to access and use data. REST API usage has become so widespread in enterprise application development that many companies have difficulties defining a clear picture of all their deployments. These visibility gaps make APIs harder to protect.

Organizations must improve at keeping an accurate, up-to-date inventory of their REST use cases and employ secure channels like TLS and authentication keys to reduce risk.

3. Encryption of all data is key. This is true not just when data is at rest, but also in transit. In this encryption scenario, the API would use TLS and authorization tokens to transmit data securely, and the data that the API is accessing should also be encrypted. Remember that this encryption strategy is defense in depth; there's a classic military saying about the crucial need for redundancy that summarizes this idea well: "Two is one and one is none."

4. Credential stuffing is still a huge problem and an evolving threat. Credential stuffing is the practice of using an automated injection of stolen credentials to gain unauthorized access. Companies have gotten better at securing their front-end applications and webpages to defend against credential stuffing. Still, hackers increasingly have been targeting back-end APIs that historically tended to have fewer implemented security controls.

Evidence of this can be seen in a recent Akamai report that showed that one in every five attempts to gain unauthorized access to user accounts is now done through APIs rather than user-facing login pages. Companies must account for this trend in their API-first security strategy and do a better job of protecting back-end APIs from these attacks.

5. Automated checks should be standard practice. I'm repeatedly frustrated by how rarely I see automated security checks as part of a CI/CD pipeline, if they are implemented at all. A mature application security team should work with the engineering squads to design and incorporate security into pipelines and allow an organization to scale security with its product offerings.

Rather than asking why this practice isn't common, let's ask why it isn't more straightforward and cheaper to implement security in the CI/CD pipeline. Why do some developer tools not include features to make security checks more manageable? Why is it so expensive to audit for API security issues on running services? What are the dev tool vendors doing to improve this experience for their users and help developers punch above their security weight class?

I hope and expect the API industry will step up and better address these questions and concerns in 2021 and beyond.

As these five points show, pursuing an API-first security strategy and baking API security into the software development life cycle requires prioritization and intent. But it's well worth the effort. A few minutes of proactive security testing can save hours or days of downtime and legal fees down the road.

Ryan is Postman's Technical Security Lead and co-author of AWS Detective. He has previously held a variety of roles, including threat research, incident response consulting, and every level of security operations. With over a decade in the infosec field, Ryan has been on the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-25
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to ...
PUBLISHED: 2022-05-25
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.
PUBLISHED: 2022-05-25
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
PUBLISHED: 2022-05-25
VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.
PUBLISHED: 2022-05-25
Docker Desktop 4.3.0 has Incorrect Access Control.