Tech Insights / API security

API security: Safeguarding sensitive data and API integrations

APIs communicate information within applications and from one application to another. Originally, they existed mostly in the background, hidden from end users and bad actors. However, as microservices, containers, and cloud-based services have become commonplace, the number of exposed APIs—and attacks against them—has exploded. As a result, API security has become a critical component of application security.

What is API security?

Application programming interfaces (APIs) are critical to modern applications, controlling interactions with internal and third-party applications and services as well as connections with Internet of Things (IOT) or edge devices. The first step when modernizing a legacy application is often to add APIs.

You can’t manage and secure modern applications without understanding what API security is and why API security is important. Along with DevSecOps and observability, API security should be part of any comprehensive security plan. Because of the breadth of their use, APIs potentially expose a lot of data, including personally identifiable information (PII) that is proprietary or sensitive. API security is the set of strategies and methods necessary to protect APIs from increasing security risks, malicious attacks, and data breaches.

What is REST API security?

REST API or RESTful API is short for REpresentational State Transfer. REST APIs are simple to use and are so widely employed that API and REST API are almost synonymous. REST APIs transfer data securely between servers using encrypted internet protocols, either HTTP/HTTPS and/or JSON with JSON Web Encryption (JWE). Although REST APIs don’t have built-in API security, REST API security should be integrated into a well-designed API.

The OpenAPI initiative (formerly known as Swagger) defines specifications for how REST APIs should be described, produced, and consumed. OpenAPI 3.0 includes the following security schemes: HTTP authentication, API keys, Oauth2, and OpenID Connect Discovery.

In addition to REST APIs, there are several other types of APIs you should know about:

  • AsyncAPI is an open source initiative providing a specification that documents the asynchronous APIs necessary for applications using an event-driven architecture (EDA). Tooling for developers is also provided.
  • gRPC is a protocol that enables the creation of remote procedure call (RPC) APIs; RPC APIs are the main alternative to REST APIs.
  • GraphQL is an emerging, open source security protocol. Our State of Spring 2021 survey found that 20% of respondents were already using GraphQL, a data query language for APIs. GraphQL is quickly becoming a new standard in API security that allows developers more flexibility and control but requires attention to compatibility with existing infrastructure.
  • Simple object access protocol (SOAP) APIs are often used in legacy service-oriented architecture (SOA) applications. Because these systems still exist in established enterprises, it’s often necessary to provide a gateway between REST and SOAP. SOAP APIs have built-in security processes, but they can be more complex to manage than REST APIs. They’re frequently utilized in regulated industries such as healthcare and financial services.

Integrating security into API management

Good API security relies on good API management. In our annual survey of Spring users, 2 out of 3 are using API management and observability as a part of their Spring development environments.

Modern apps can have thousands of components that communicate via APIs. Built-in API security treats APIs as the new endpoint. Legacy apps with bolted-on security may not adequately protect APIs.

The challenge for security operators and developers is to provide complete API lifecycle management, building and scaling production-ready app platforms that are secure from design to implementation. If you’re using Kubernetes, it’s important to incorporate security best practices to achieve platform security.

A quality API management platform enables a DevSecOps model of continuous delivery, one that allows teams to automate, streamline, and close the loop of the entire software supply chain.

There are several important building blocks of an API security plan:

  • Authentication and authorization provided by industry-standard security protocols such as SAML, OAuth, and OpenID Connect (OIDC), using a single sign-on (SSO) solution for verification of application users.
  • Client certificates are another form of authentication in which the certificate (from a trusted source) takes the place of username and password. This developer guide explains many of the details of using certificates in a Kubernetes environment in plain english. This guide includes code examples for mutual TLS (mTLS).
  • An API key is a small string that identifies and authorizes an application but not the user of the application. Often used for backend schemes, an API key without additional restrictions is not very secure.
  • An API token provides more security by requiring stricter user authentication and authorization. It validates that someone is who they say they are and ensures they only have access to the resources they’re entitled to.

In the ephemeral world of modern applications, risks arise from not being able to see all the API interactions of an application and how they change over time. There is risk from sensitive data that the APIs handle, and the risk from compliance exposure, data exfiltration, or data sovereignty breaches.

In addition to the mechanisms listed above, an API security plan should include runtime identification of API threats with alerting, including the following:

  • API threat detection and response
  • PII/data leak prevention
  • API segmentation and parameter validation

These capabilities can be most easily incorporated by implementing a service mesh.

What to keep in mind when considering API security

APIs have become an essential and core component of modern applications. APIs have evolved from being a simple way to integrate with other applications or servers, to extending application capabilities by leveraging third-party services, to provisioning infrastructure-as-code, to becoming the data plane in Kubernetes that carries critical information and data from one part of the application to another. Managing and securing modern applications cannot take place without managing and securing APIs.

How do you safeguard web API security?

To provide web API security, you need to enable both developers and security teams to gain a comprehensive understanding of when, where, and how APIs are communicating, even across multi-cloud environments.

Web API security is challenging because multi-cloud workloads make API usage more vulnerable. There are a few sources of risk:

  • Being unable to see all the API interactions an application has—or how those interactions change over time
  • Sensitive data in the API that creates compliance exposure and the possibility of data exfiltration and data sovereignty breaches
  • Additional API vulnerabilities, such as zero-day API attacks, stolen credentials, perimeter breaches, data leaks, resource hijacking, malicious API requests (like the recent Log4Shell exploit) and new security risks that arise every day

Known vulnerabilities to guard against are listed in the OWASP API top 10. Mitigating these risks is essential to providing web API security. This can only be accomplished through CVE scanning and remediation of all resources involved in API delivery and consumption.

You need a solution that uses a modern architecture, works in heterogeneous environments, reduces risks that are embedded deep within the application, and does all this in a scalable manner across multi-cloud environments that ensures high performance, speed, and agility.

API security best practices

API security management is an essential part of comprehensive API management and application security. Why is API security so important? The sheer number of APIs in use today, the ephemeral nature of microservice workloads, and the number and variety of API use cases (see figure) makes managing and securing APIs extremely complex.

Here are some best practices that you should consider incorporating to mitigate risk and increase API security:

  • API discovery and observability. You can’t protect what you don’t know about. As internal and external APIs proliferate, tools are necessary to help reduce the complexity of API-related tasks. Many organizations are implementing API gateways and API portals to make it easier to manage APIs.
  • Post-authorization API threat detection and response. Attacks and breaches are increasingly being perpetrated in the post-authentication and authorization phase. They’re also deeper within the API data payload. So, there is a need to look for threats deep within the application and API data payload.
  • Identify and correct vulnerabilities. It’s essential to protect the entire API lifecycle from planning to development to testing to production. For example, if your planning process for new APIs doesn’t adequately account for security, your results may suffer, no matter how good the rest of your process is.
  • Use stringent authentication and authorization. Many sites control access to APIs using security tokens. OAuth can provide token-based authentication so third-party services can access information.
  • Provide end-to-end encryption. Encryption should be used to protect data at rest and in flight, ensuring that PII and other sensitive data cannot be read. Encryption at rest ensures that data can’t be read if your API server is penetrated, while in-flight encryption using Transport Layer Security (TLS) ensures that data can’t be accessed from packets in transit. In many cases, encryption is a compliance requirement.
  • Use baselining and anomaly detection. This will allow you to detect the flow of PII and prevent data exfiltration.
  • Provide mechanisms for attack response and mitigation. If a threat is detected, API requests from specific sources should be blocked or denied. Rate limiting and throttling can be used to control API service consumption. Rate limiting protects against denial-of-service (DoS) attacks while throttling ensures you don’t test the limits of an API’s performance and potentially expose vulnerabilities.
  • Route requests through an API gateway to provide functionality like authentication and authorization, policy enforcement, or data transformation for multiple APIs. API gateway security locks down and protects access to backend services. Using an API gateway pattern offers significant advantages in terms of centralization and control: rate limiting, authentication, auditing, and logging can all be implemented in the gateway.
  • Utilize a service mesh to connect application workloads, microservices, APIs, and data in an “east-west” pattern. A service mesh leverages infrastructure logic and rules to route API requests and can increase the security of large deployments with multiple APIs.

Frequently Asked Questions

What’s an API?

An API or application programming interface is a mechanism that allows different applications, or application services in a microservices architecture, to interact with each other. APIs can carry critical data and may exchange sensitive information. As a result, if they’re used incorrectly they create potential security vulnerabilities.

What’s API security?

API security is the set of strategies and best practices that companies use to protect APIs, reduce security risks, and prevent malicious attacks and data breaches.

What’s a REST API?

REST or RESTful API is short for REpresentational State Transfer. At a high level, REST APIs are an architectural style for distributed hypermedia systems. REST was created from a combination of other architectural styles and enlists several constraints. This developer guide provides a good introduction to REST principles. This guide provides an example of building a REST API in the Spring environment. REST API security can be achieved by transferring data between client and server using encryption, either HTTP/HTTPS and/or JSON with JSON Web Encryption (JWE).

What’s an API gateway?

An API gateway provides a single access point for a set of backend APIs. A client only needs to know how to reach the API gateway rather than each individual service. A gateway can provide shared functionality for the entire set of APIs, such as authentication and authorization, policy enforcement, and data transformation. Using an API gateway pattern offers significant advantages in terms of centralization and control: rate limiting, authentication, auditing, and logging can all be implemented in the gateway.

What’s a service mesh?

A service mesh is a dedicated infrastructure layer that manages communication between application workloads, microservices, APIs, and data, simplifying monitoring, networking, and security. A service mesh provides fine-grained security for distributed microservice architectures.