Top 3 API Security Best Practices
Feeling exposed? Learn how you can rise above unseen threats.
INTRODUCTION
For organizations that want to thrive in the new digital economy, the status quo simply won’t cut it. Traditional security controls are static and inflexible. They were designed in the days of client/server communication with predictable user journeys and traffic flows, well before APIs became ubiquitous and the cornerstone for today’s digital experiences.
While efforts to modernize security by infusing zero trust, least-privilege access, and authentication/authorization principles have borne fruit, the game has changed. The players in the application game that cheer you on by transacting across your digital properties are no longer users in the traditional sense. Increasingly, those “users” are business logic calls from APIs, which may be from partners or aggregators as much as they are from customers or prospects. The importance of APIs also means they are a much bigger target for attackers.
Organizations that want to survive must secure their APIs and mitigate unintended and unforeseen risk in a distributed and ever-changing digital fabric. Organizations that want to thrive should concentrate their strategic efforts in a few key areas to create a predictable, scalable, and self-defending API security platform.
Traditional versus Modern Security
Traditional security controls are widely deployed, used by organizations worldwide to protect business secrets and customer data. Companies use encryption-decryption systems to help ensure privacy and prevent data theft by restricting access to sensitive information. Security controls such as rate limiting help businesses prevent denial of service (DoS) attacks and reduce web scraping by letting them limit the number and frequency of requests to normal, expected traffic baselines. In addition, organizations often use a combination of security tools, such as web applications firewalls (WAFs), static code analysis, and dynamic application security testing to mitigate many common threats, such as those in the OWASP Top 10.
Yet, in today’s digital world, traditional security measures aren’t enough. That’s why so many organizations are embracing modern security controls like authentication (AuthN), authorization (AuthZ), and traffic inspection for their distributed applications.
Organizations use multi-factor authentication, public key certificates, biometrics, and other methods to confirm the identity of people and devices and to make sure only legitimate users and trusted machines can access their data. Authorization is simply a matter of granting appropriate permissions to authenticated users, ensuring they can access all the files and data they need to do their work while preventing them from seeing other information they should not be privy to. Traffic inspection enables companies to minimize risks by examining application traffic and identifying unusual activity and potential threats as well as supplying any insights needed for accounting or incident response.
While these controls are widely deployed and well understood by security and risk teams, implementing them across a plethora of digital touch points is a critical challenge.
The Evolution to Adaptive Security
Security is increasingly focused on identity and verification. Organizations use methods like zero trust and least-privilege access to increase the rigor of their security, trusting neither users nor devices by default and limiting their access to the bare minimum of information they need, in many cases through predetermined use case modeling. Companies also use methods such as behavioral analytics to detect suspicious behavior that may indicate potential threats from malicious users, and risk-based controls to step up the authentication process, making it more stringent as the perceived threat level increases.
Figure 1: The Internet of things connects the world around us and powers our modern way of life.
However, organizations today operate complex, interconnected architectures, which complicates their ability to enforce security policy such as AuthN and AuthZ consistently. IT is overwhelmed with tool sprawl and the challenge of managing heterogeneous environments, and “users” are likely to be APIs, services, or machines rather than human beings. The growing complexity and interconnection of architecture requires a paradigm shift in risk management. What’s needed is cross-platform visibility coupled with artificial intelligence (AI) and machine learning (ML) so that organizations can correlate data insights at scale.
Figure 2: WAF's are a strategic security control that has evolved over time.
“Cross-platform application technologies enable organizations to better adapt to the unexpected shifts of a constantly evolving marketplace.”1
Adaptive Identity-Based Security
A core set of cross-platform application services coupled with a positive operating model are critical for any security platform, especially when protecting APIs. Those core application services may include zero trust and risk-based management as well as microsegmentation, which isolates services and access to them within the data center or cloud environment. Native defense-in-depth, another core tenant, provides multiple layers of security controls throughout a platform to create resilience in case one security control fails to deter a motivated attacker.
Strong namespace isolation segregates resources for greater security, and secrets management consistently enforces security policies for machine-to-machine communication that is increasingly common in modern architectures.
Figure 3: Identity Authority for AuthN and AuthZ as part of cross-platform application services.
A positive security operating model allows organizations to dynamically discover new API endpoints, automatically protect them with AI/ML-based anomaly detection, and consistently enforce policy throughout the application lifecycle, reducing risk and the unintended side effects of highly decentralized and interconnected architecture.
A platform that can scale to deliver these services consistently, regardless of where the underlying infrastructure and APIs reside, will allow security teams to focus their efforts on strategic risk management instead of the day-to-day tactical challenges of maintaining security policy in a dynamic application release cycle with many ecosystem connections.
Figure 4: A positive security operating model enables automated protection and adaptive defenses.
A positive security operating model allows organizations to dynamically discover new API endpoints, automatically protect them with AI/ML-based anomaly detection, and consistently enforce policy throughout the application lifecycle, reducing risk and the unintended side effects of highly decentralized and interconnected architecture.
A platform that can scale to deliver these services consistently, regardless of where the underlying infrastructure and APIs reside, will allow security teams to focus their efforts on strategic risk management instead of the day-to-day tactical challenges of maintaining security policy in a dynamic application release cycle with many ecosystem connections.
Figure 4: A positive security operating model enables automated protection and adaptive defenses.
“Organizations that adopt identity-based security will be able to manage threats contextually and continue modernizing while efficiently balancing risk with performance."1
Top 3 API Security Best Practices
For organizations to thrive in the new digital economy, their security and risk teams should concentrate their strategic efforts in three areas to help create a predictable, scalable, and self-defending API security platform:
1. Identity-Based Security
Evolve to adaptive identity-based security.
2. Cross-Platform Services
Deploy cross-platform application services for consistency, observability, and actionable insights.
3. Automated Protection
Leverage AI/ML for continuous automated protection.
To learn more, read the eBook: “API Security Best Practices: Key Considerations for API Protection"
Discover More
EBOOK
API Security Best Practices: Key Considerations for API Protection
Learn why existing security controls may be insufficient to adequately protect APIs in a constantly changing application lifecycle with a plethora of third-party integrations.
BLOG
State of Application Strategy 2022: The Future of Business is Adaptive
Learn how companies are making their digital businesses more responsive and better suited to serve their customers, partners, and employees – now and in the future.
SIMULATION
F5 Distributed Cloud WAAP Simulator Hub: API Protection
Visit the F5 Simulator Hub to learn more about F5 Distributed Cloud WAAP.
FORRESTER REPORT
API Insecurity: The Lurking Threat In Your Software
Design and build API security top to bottom and end to end across the software lifecycle.