Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

10 Features an API Security Service Needs to Offer

Securing APIs is specialized work. Here's what organizations should look for when selecting an outside partner.

Joshua Goldfarb, Global Solutions Architect — Security

July 10, 2023

4 Min Read
Application icons grouped into a box that leads to a button marked API, which a white woman's hand is clicking.
Source: Elena Uve via Alamy Stock Photo

Application programming interfaces (APIs) are a powerful technology that allow businesses to innovate faster and keep up with the demanding pace of the market. But they also come with their own set of challenges. Not only do APIs expand the attack surface, they also expose new entry points to disrupt services and gain access to data, including personal identifiable information (PII).

In most API-related incidents, breaches occur via relatively simple technical means. Most often, the root cause of these breaches is one or more poorly secured API endpoints. The news is not all bad, however. Businesses can take straightforward steps to greatly improve their API security.

Given the complexity of properly securing APIs, many businesses opt to work with a trusted partner. This approach certainly has its advantages, though it is important for buyers to understand how to evaluate and differentiate myriad API security offerings. To help with this, I'd like to share 10 must-have features that all API security providers should offer.

1. API Visibility and Discovery

Before an API can be secured, it must be known. For a variety of reasons, API endpoints are often created without the IT or security team's knowledge. When this happens, those APIs are not part of asset management, and they are also not properly subjected to security and compliance policies and controls. Thus, API visibility and discovery is the first step in API security, and it is a must-have for any API security provider.

2. Schema Validation

Ensuring proper API behavior based on valid input and output is an important part of an overall API security approach. Attempting to breach APIs or cause improper output from APIs through the use of invalid or improper input is a popular technique used by attackers. Requiring that all API requests and responses comply with schema and all specs is an important step in protecting those APIs from attacks and breaches. This is definitely another area where an API security solution can help.

3. Policy Enforcement

Properly defined, intelligent security policies are great, but without strict enforcement, they are ineffective. Enforcing API security policies — rate limiting, IP reputation, allow/deny list, etc. — is a must for any API security provider.

4. Safeguarding of Sensitive Data

One of the main vulnerabilities of poorly secured APIs is the leaking of sensitive data, such as PII. As such, using APIs to pilfer this data is another path for attackers. Safeguarding this sensitive data involves ensuring the APIs are properly coded and secured, as well as verifying that sensitive data is not inadvertently or improperly being transmitted or leaked from the API. Safeguarding sensitive data should be a part of any API security solution.

5. Abuse and DoS Protection

When people think of protection against abuse or denial-of-service (DoS) attacks, they often think about Layers 3 and 4 of the OSI model. Unfortunately, the application layer (Layer 7) where APIs live is sometimes forgotten. Attackers are tuned into this and are always ready to pounce, making Layer 7 protection against abuse and DoS a must.

6. Attack Protection

Attackers are constantly on the lookout for ways to compromise and exploit APIs. A mature API security solution will include signature-based, anomaly-based, and artificial intelligence/machine learning (AI/ML)-based protection against a wide variety of attacks.

7. Access Control

Believe it or not, even in 2023, improper access control, including authentication and authorization, remains one of the main issues plaguing APIs. Whether due to oversights, human errors, haste, or any other reason, improperly controlled access to APIs can have devastating consequences. A good API security solution will provide authentication discovery services (allowing authentication gaps to be discovered), authentication enforcement, and API access control.

8. Malicious User Detection

One useful application of AI/ML is to study, analyze, and draw conclusions about the behavior of clients interacting with APIs. Detecting and stopping users who appear to be malicious can help protect APIs from attack, compromise, and breach as part of an overall API security solution.

9. Configuration and Management

Improper configuration and management of APIs is responsible for far more breaches than it should be. The best API security solutions allow businesses to easily deploy and enforce the right security model. This, in turn, helps ensure that APIs are not misconfigured or mismanaged.

10. Behavioral Analysis

One application of AI/ML that is very relevant to API security is behavioral analysis. The analysis pours over the various logs collected from endpoints and APIs of an application. Sample request and response data examples for each API are studied and analyzed. This maps out the behavior of these paths and provides opportunity to generate and analyze key metrics, such as request size and response size, latency with and without data, request rate and error rate, and response throughput. This is an iterative process that continues over time and is continuously updated. Behavioral analysis should absolutely be part of any API security offering.

While APIs can open many doors for businesses, they can also introduce quite a bit of vulnerability and risk. By understanding the essential elements of an API security solution, buyers can ensure that they acquire a solution that meets their business needs, reduces risk, and improves their overall security posture.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights