The Do’s and Don’ts of Modern API Security
Many security executives find themselves navigating through a perfect storm when it comes to API security. Although APIs aren’t new, they’ve taken on much greater strategic importance in recent years because of the following factors:
Users interact with applications through an increasingly diverse set of user interfaces and devices, often enabled by a shared set of APIs.
DevOps practices and other fast-moving business processes rely on APIs to drive automation.
API integrations among business partners are the only way to meet customer expectations for fast and seamless online experiences.
Industry developments like the Internet of Things (IoT) increase — by orders of magnitude — the number of connected devices that businesses need to manage programmatically through APIs.
APIs: A strategic enabler and a key point of vulnerability
These industry developments happened over many years in plain sight. But many security leaders are only now beginning to zero in on the fact that APIs are both a strategic enabler and a key point of vulnerability across nearly all of their critical business functions.
Recognizing the need for a strategic approach to API security is an important first step, but getting there can feel like a complex journey. For one, APIs are a moving target. They appear and disappear all of the time, and API governance processes are often inconsistent — if they exist at all.
API threats vs. traditional security threats
API threats are also quite different from traditional security threats. Technical vulnerabilities and misconfigurations, like those included in the OWASP API Security Top 10, bear some similarity to attack vectors that security teams are accustomed to battling. But APIs are also subject to other types of misuse and business logic abuse, like aggressive data scraping, that don’t fit the mold of a traditional security attack.
Although approaching API security strategically isn't necessarily easy, it is possible.
We created a short guide called 8 Do’s and Don’ts of API Security that summarizes some of the learnings and best practices from our research and engagements with some of the world's most sophisticated API-driven organizations. It includes essential strategies to implement — and pitfalls to avoid — as you develop a more sophisticated API security strategy for your organization.
