This is an example of a supply chain risk. Would you even know which APIs are in use in your organisation and what information transfers are made?
[…] Taking time to catalog APIs and understand how many APIs are actually in the organization’s inventory, then, is step one in securing APIs. But once you know what must be defended, how can you best go about that defense?
The good news, according to Lane, is that many of the APIs in use by enterprises will share a common basis. “The majority of APIs are more of a common-class REST or a Web API,” he says. “Those have a lot of common characteristics — it’s pretty straightforward to understand how to secure them.”
Protect the REST
With APIs discovered and catalogued, and protection for the RESTful sort well-understood, how then should organizations proceed to protecting the remainder of the APIs in the architecture? Some make the case for starting with the basics.
Laurence Pitt, global security strategy director at Juniper Networks, says encryption is a good starting point.
“There are many different methods when considering how to lock down an API, but it does not have to be overcomplicated,” he explains. “In most cases, it would suffice to make sure that the API is using HTTPS for communication to ensure that the traffic cannot easily be sniffed from the network, and then to use some form of authentication to allow access.”
While it isn’t perfect, that method will keep hackers using Internet crawling tools from finding open APIs and tiffing the traffic, Pitt adds.
The next security step could involve following a security framework for protecting APIs. Fortunately, a couple of frameworks are available that multiple experts recommend as part of a drive toward best practices.
Mehta points to the Open Web Application Security Project (OWASP) and its API Security project as a resource, though he does offer one caveat: “I don’t think it’s in that mature a state right now; there is more work to be done,” he says. “It could be a good start, but it’s missing a lot of pieces right now.”
A release candidate for the OWASP API Security Top 10 was published at the end of September. In other words, the API Security project is quite literally a work in progress. Even so, it presents 10 areas for security teams to be concerned about when it comes to APIs. Those areas range from broken object-level authorization and excessive data exposure to insufficient logging and monitoring.