The Do’s and Don’ts of Modern API Security

Many security executives find themselves navigating through a perfect storm when it comes to API security. While APIs aren’t new, they’ve taken on much greater strategic importance in recent years now that:

• Users interact with applications through an increasingly diverse set of user interfaces and devices, often enabled by a shared set of APIs.
• DevOps practices and other fast-moving business processes rely on APIs to drive automation.
• API integrations among business partners are the only way to meet customer expectations for fast and seamless online experiences. 
• Industry developments like the Internet of Things (IoT) increase – by orders of magnitude – the number of connected devices that businesses need to manage programmatically through APIs.

These industry developments happened over many years in plain sight. But many security leaders are only now beginning to zero in on the fact that APIs are both a strategic enabler – and a key point of vulnerability – across nearly all of their critical business functions.

Recognizing the need for a strategic approach to API security is an important first step, but getting there can feel like a complex journey. For one, APIs are a moving target. They appear and disappear all of the time, and API governance processes are often inconsistent – if they exist at all.

API threats are also quite different from traditional security threats. Technical vulnerabilities and misconfigurations, like those included in the OWASP API Security Top 10, bear some similarity to attack vectors that security teams are accustomed to defending against. But APIs are also subject to other types of misuse and business logic abuse that don’t fit the traditional mold of a security attack.

While approaching API security strategically isn’t necessarily easy, it is possible.

We created a short guide called “The Do’s and Don’ts of API Security” that summarizes some of the learnings and best practices from our research and engagements with some of the world’s most sophisticated API-driven organizations.