Five Best Practices for API Security in 2023

 

What is API Security?

APIs play a critical role in modern software development by facilitating the exchange of sensitive data between users, applications and IoT devices. But without a hardened system, they are an easy target for hackers—which can lead to compromised networks and data breaches.

 

API security is responsible for maintaining the confidentiality, availability and integrity of the resources provided by the APIs. API requests should have proper access controls and privacy in place, as well as the detection and remediation of vulnerabilities like those in the OWASP API Security Top 10.

 

 

Recent API-Related Data Breaches

T-Mobile started the year 2023 off with a major data breach, which led to the exposure of 37 million customer accounts through one of its APIs. The attacker started stealing data around November 25, 2022, but the mobile carrier did not detect the malicious activity until around January 5, 2023. It was not until then that access to the API was cut off. This was T-Mobile’s eighth data breach since 2018.

 

Another example of a devastating API breach was the 2019 Capital One data breach. A hacker exploited a vulnerability in Capital One's AWS cloud infrastructure, leading to the exposure of over 100 million customers’ sensitive information. The breach cost Capital One an estimated $150 million in legal fees, customer notifications and other expenses.

 

 

Implementing API Security Throughout the SDLC

To address this growing threat, it is crucial that organizations implement API security measures throughout the software development life cycle (SDLC). This includes conducting secure coding practices, regularly testing for vulnerabilities, and implementing secure authentication and authorization mechanisms.

 

 

Keep an Inventory of APIs

Your business cannot be secure if you do not know what needs to be secured. Most organizations are unaware of all the APIs being used in their applications. As APIs are modified and more are being added to that list of active applications, it is important to produce an inventory process to properly secure your APIs.

 

 

Implement Authentication and Authorization

The next step in ensuring API security involves proper authentication and authorization, which entails confirming the identity of API users and limiting their access to resources. A recommendation is to use OAuth 2.0 for single sign-on with OpenID Connect built on top. When determining access control rules, organizations should adhere to the principle of least privilege.

 

 

Conduct Regular Security Testing

APIs must undergo regular security testing to find and fix vulnerabilities before hackers can get to them. Developers often test for use cases that the API was intended for, but edge cases are not looked at as often. As a result, security vulnerabilities may be present. To limit the exposure to hackers, testing should extend beyond just the use cases. This often includes secure code reviews, vulnerability scanning and penetration testing.

 

 

Monitor API Usage

Monitoring API usage can help organizations detect suspicious activity, such as unauthorized access to sensitive data or excessive usage that could indicate an attempted breach. Real-time threat detection typically involves an API gateway or a WAF, which can be used to apply a set of rules. Rules can include applying rate limits and signature-based threat detection.

 

 

Use Encryption

Encrypting sensitive data transmitted through APIs can protect it from being intercepted or compromised in transit. APIs should use HTTPS, and HTTP Strict Transport Security should be implemented. Another thing to be aware of is the use of strong cipher suites. If a small number of well-known legacy clients need to connect to the server, such as automated applications which do not support modern cipher suites, consider adding an intermediate server that exposes legacy cipher suites to these clients. Access to this endpoint can be controlled with strict firewall rules. By doing so, an attacker cannot downgrade browser connections from most clients, protecting most users’ information and limiting the use of weak ciphers.

 

 

Secure Your APIs

Given the critical role APIs play in digital transformation, it is important to have a dedicated approach to security and compliance. With the current state of the economy, companies must take these kinds of threats seriously. Consider speaking to a service provider such as Optiv to look at what your API security needs would look like.

Chris Wan
Security Consultant II | Optiv
Chris Wan has four years of experience in the information security industry primarily in offensive security roles, along with three years in consulting for enterprise environments. His experience ranges from small businesses to Fortune 500 corporations in a multitude of industries including retail, energy, finance, and health services.
Principal Consultant
Bill Heck is a principal consultant in Optiv’s application security team. Bill specializes in web and mobile application assessments, architecture reviews, and threat models. Bill also plays a lead role in mentoring other appsec team members.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.