What Is an API Security Checklist?

API security begins well before anyone starts writing code. At the planning stage, it is essential to think through governance issues like roles, responsibilities, and policies. Planning is the best time to determine security metrics, too, along with lifecycle management processes.

API planning security checklist:

• Governance, roles, and responsibilities. Have you clearly defined roles and responsibilities for securing your API estate? This includes both execution-level responsibilities for developers and security engineers, as well as management oversight responsibilities that deal with risk decisions and policy oversight.
• Policies, standards, and specifications. Have you developed a library of policies, standards, and API specifications that outline the minimum required expectations for your APIs’ secure design, development, testing, and operations?
• Security metrics. Have you set up a defined series of API security risk metrics so you can measure and manage API-related risks? Your stakeholders can use these API risk metrics as a feedback loop for ongoing improvement of API security risk management.
• Lifecycle management. Is your organization managing APIs as software assets with defined ownership throughout their useful life cycle? It is a best practice to pay particular focus to initial deployment, ongoing change management, and asset decommissioning.

In development, the policies established in the planning stage come to life. Developers are responsible for creating secure APIs, working in partnership with other stakeholder groups.

API development security checklist:

• Training. Have you trained your API developers and other personnel with API management responsibilities (e.g., gateway, security operations) on aspects of API security relevant for their roles?
• Developer environment (e.g., IDE, Repos). Is your API source code developed and managed in approved, managed source code repositories? Are developers utilizing managed or approved developer environments?
• Documentation. Are your APIs accurately documented and evaluated for compliance against specifications/standards? Is your API documentation updated when API schemas are changed? Is the documentation available for independent review and testing/verification?
• Defect tracking and resolution. Are security-related code defects or vulnerabilities prioritized and tracked for resolution?

Once APIs are developed, they must undergo a thorough cycle of testing. Similar to the application security testing checklist, the following outlines security controls to implement in your API testing program.

API testing security checklist:

• Source code testing. Are you putting your API source code through static application security testing (SAST) and dynamic application security testing (DAST) before promoting them to production?
• Penetration testing. Are your API endpoints pen tested prior to migration to production under conditions replicating production-environment API management, network, and policy variables, where possible?
• Compliance review. Are your APIs evaluated for compliance to standards and specifications prior to migration to production (e.g., GDPR, PCI compliance)? This process should include compliance with architectural/network placement and configuration (e.g., WAF protection, network placement).
• Change and release management. Do you deploy or change APIs in accordance with a well-defined software or IT change policy? Changes should ideally be accurately reflected in software asset inventory.

API security measures in development and testing

Authentication and access control: Implement robust authentication mechanisms, such as OAuth and API keys, to secure API endpoints during development and testing. Ensure access control policies are enforced to prevent unauthorized access to sensitive data.

Rate limiting: During the testing phase, implement rate limiting to protect APIs from abuse and potential DDoS attacks. Rate limiting helps prevent excessive requests that can overwhelm the system and lead to denial of service.

SQL injection and validation: Test for common API attacks such as SQL injection. Implement strict input validation to prevent malicious input from compromising your APIs. Ensure that data passed through APIs is sanitized and validated to protect against injection attacks.

API security should remain in force as APIs go into production. Indeed, this is where APIs tend to get lost and wind up as points of vulnerability.

API operation security checklist:

• API inventory. Are you maintaining an accurate, current inventory of all API endpoints, including API documentation?
• Inventory of sensitive data. Does your organization maintain an accurate, current inventory or mapping of the sensitive data handled by API endpoints? More importantly, do you know which users are accessing sensitive data? Access management is a critical component of both security and compliance.
• Identification of vulnerabilities. Are you identifying vulnerabilities and areas of API risk exposure in your production environment?
• Configuration management. Do you identify vulnerabilities and exposure of network, gateway, and firewall components that broker and protect API traffic?

API protections must remain in place throughout the API lifecycle. This workload covers log and traffic collection, threat detection, alerts and more.

API protection checklist:

• Log or traffic collection. Are you logging API activity and storing the data to support operational and security inspection?
• Threat detection and alerting. Are you analyzing API activity in order to detect anomalous activity? Your process should include associated alerting/flagging of anomalous or misuse events to applicable security and operational teams.
• Sensitive data movement. Are you monitoring the movement of sensitive data contained within API traffic? This process should include analyzing data streams to detect unauthorized or anomalous use, with alerting/flagging of sensitive data movement to applicable security and operations teams.
• Blocking and remediation. Are you blocking and remediating the unauthorized movement of sensitive data via API, or other suspected misuses of APIs?

Today’s threat landscape calls for a complete API security solution that provides API discovery, posture management, runtime protection, and API security testing.

1. API discovery. It’s not uncommon to have APIs that no one knows about. Most organizations have little to no visibility into a large percentage of their API traffic, often because they assume all of their APIs are routed through an API gateway. But that is not the case. Your enterprise is exposed to a range of risks without a complete and accurate inventory. Core capabilities needed:

• Locating and inventorying all of your APIs, regardless of configuration or type
• Detecting dormant, legacy, and zombie APIs
• Identifying forgotten, neglected, or otherwise unknown shadow domains
• Eliminating blind spots and uncovering potential attack paths

2. API posture management. With a complete API inventory in place, it’s critical to understand what types of data flow through your APIs and how that affects your ability to comply with regulatory requirements. API posture management provides a comprehensive view of traffic, code, and configurations to assess your organization’s API security posture. Core capabilities needed:

• Automatically scanning infrastructure to uncover misconfigurations and hidden risks
• Creating custom workflows to notify key stakeholders of vulnerabilities
• Identifying which APIs and internal users are able to access sensitive data
• Assigning severity rankings to detected issues to prioritize remediation

3. API runtime security. You’re no doubt familiar with the concept of “assume breach.” API-specific breaches and attacks are reaching that same degree of inevitability. For all of your APIs that are live in production, you need to be able to detect and block attacks in real time. Core capabilities needed:

• Monitoring for data tampering and leakage, policy violations, suspicious behavior, and API attacks
• Analyzing API traffic without additional network changes or difficult-to-install agents
• Integrating with existing workflows (ticketing, SIEMs, etc.) to alert security/operations teams
• Preventing attacks and misuse in real time with partially or fully automated remediation 

4. API security testing. API development teams are under pressure to work as quickly as possible. Speed is essential for every application developed, making it easier for a vulnerability or design flaw to happen and subsequently go undetected. Testing APIs in development before they are released into production greatly reduces both risk and the cost of fixing an API that is vulnerable. Core capabilities needed:

• Running a wide range of automated tests that simulate malicious traffic
• Discovering vulnerabilities before APIs enter production, reducing the risk of successful attacks
• Inspecting your API specifications against established governance policies and rules
• Running API-focused security tests that run on demand or as part of a CI/CD pipeline

This comprehensive approach works as a complement to an enterprise’s existing API protection capabilities, including:

• Threat detection and DDoS prevention: Utilize cybersecurity tools to detect potential API attacks in real time. Implement strategies to prevent DDoS attacks, such as rate limiting and load balancing, to ensure your API endpoints remain available and secure.
• Blocking and remediation: Implement automated blocking and remediation measures to protect against unauthorized access attempts and sensitive data exposure. Use a combination of WAF, authentication, and access control policies to enforce security at the API gateway level.

These are suggested controls. It’s a lot to take in, and in reality not every organization will be inadequately covering all of these. However, the checklist is a valuable way to establish best practices and identify areas for improvement in API security. It provides a helpful baseline for a well-run API security operation.