Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Five Best Practices for API Security in 2023
APIs play a critical role in modern software development by facilitating the exchange of sensitive data between users, applications and IoT devices. But without a hardened system, they are an easy target for hackers—which can lead to compromised networks and data breaches.
API security is responsible for maintaining the confidentiality, availability and integrity of the resources provided by the APIs. API requests should have proper access controls and privacy in place, as well as the detection and remediation of vulnerabilities like those in the OWASP API Security Top 10.
T-Mobile started the year 2023 off with a major data breach, which led to the exposure of 37 million customer accounts through one of its APIs. The attacker started stealing data around November 25, 2022, but the mobile carrier did not detect the malicious activity until around January 5, 2023. It was not until then that access to the API was cut off. This was T-Mobile’s eighth data breach since 2018.
Another example of a devastating API breach was the 2019 Capital One data breach. A hacker exploited a vulnerability in Capital One's AWS cloud infrastructure, leading to the exposure of over 100 million customers’ sensitive information. The breach cost Capital One an estimated $150 million in legal fees, customer notifications and other expenses.
To address this growing threat, it is crucial that organizations implement API security measures throughout the software development life cycle (SDLC). This includes conducting secure coding practices, regularly testing for vulnerabilities, and implementing secure authentication and authorization mechanisms.
Your business cannot be secure if you do not know what needs to be secured. Most organizations are unaware of all the APIs being used in their applications. As APIs are modified and more are being added to that list of active applications, it is important to produce an inventory process to properly secure your APIs.
The next step in ensuring API security involves proper authentication and authorization, which entails confirming the identity of API users and limiting their access to resources. A recommendation is to use OAuth 2.0 for single sign-on with OpenID Connect built on top. When determining access control rules, organizations should adhere to the principle of least privilege.
APIs must undergo regular security testing to find and fix vulnerabilities before hackers can get to them. Developers often test for use cases that the API was intended for, but edge cases are not looked at as often. As a result, security vulnerabilities may be present. To limit the exposure to hackers, testing should extend beyond just the use cases. This often includes secure code reviews, vulnerability scanning and penetration testing.
Monitoring API usage can help organizations detect suspicious activity, such as unauthorized access to sensitive data or excessive usage that could indicate an attempted breach. Real-time threat detection typically involves an API gateway or a WAF, which can be used to apply a set of rules. Rules can include applying rate limits and signature-based threat detection.
Encrypting sensitive data transmitted through APIs can protect it from being intercepted or compromised in transit. APIs should use HTTPS, and HTTP Strict Transport Security should be implemented. Another thing to be aware of is the use of strong cipher suites. If a small number of well-known legacy clients need to connect to the server, such as automated applications which do not support modern cipher suites, consider adding an intermediate server that exposes legacy cipher suites to these clients. Access to this endpoint can be controlled with strict firewall rules. By doing so, an attacker cannot downgrade browser connections from most clients, protecting most users’ information and limiting the use of weak ciphers.
Given the critical role APIs play in digital transformation, it is important to have a dedicated approach to security and compliance. With the current state of the economy, companies must take these kinds of threats seriously. Consider speaking to a service provider such as Optiv to look at what your API security needs would look like.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.