cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

API Security Strategy

According to an Akamai report API queries account for 83% of all web traffic. The report is an interesting read indeed. It reveals a lack of knowledge and strategy around API security. Of those surveyed, 5% had no API security strategy, and 22% were in the planning stages for API security. It's no surprise, then, that 83% of them lacked confidence in the APIs they were using, and 8% had no confidence at all. Companies had not documented their APIs properly because their tools relied on human interaction.

 

How seriously does you organization take API security? Do you have a strategy in place? 

 

 

4 Replies
Steve-Wilme
Advocate II

We start by reviewing the specification/contract for any third party API.  And this can involve the third party correcting their documentation!  Aside from that we use an API gateway, so that controls are applied to all calls, and also Akamai.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
AppDefects
Community Champion

What's the best way to document APIs? There are lots of tools out there. I like SwaggerHub and Redoc simply because it is OpenAPI complaint. Now when it comes to gateways I've seen a few and what matters is the "onboarding" process and making sure that security controls like IP filtering are actually applied.

sventester
Newcomer II

In my opinion, API security is counter intuitive to most teams, because they look at APIs as an agnostic, "backbone thing", that you build your apps on top of, instead of a component of actual applications. Also, API design is really hard to make a team work discipline, so one person ends up making a lot of decisions which will affect the application for its entire lifetime.

In fact, a lot of use cases demand you to look at APIs as the business layer, where decisions are made - and that's certainly the truth for Single Page Apps (SPAs) in combination with Oauth2/OIDC. Because of that, and especially for access controls, core controls must be decided on early in the API design stage, or the team will need to roll back a lot of the logic of their application. Despite all this, versioning of APIs makes it easier to make mistakes - but then versioning makes it harder to document.

Anyways, my strategy is to inject myself into the requirements and design phase, so that at least ID, authN, authZ and access controls are aligned with the core product features. In my experience, it's authZ and AC where I've failed the most.
sventester
Newcomer II

I guess my point about this wasn't so clear: "Also, API design is really hard to make a team work discipline, so one person ends up making a lot of decisions which will affect the application for its entire lifetime."

Part of my strategy is to be aware of that person. This person might make many assumptions/mistakes that will affect security. This person will need guidance. And if you have a microservice architecture, that one person becomes many single individual with responsibilities for each of their APIs