Securing APIs is one of the main tasks APIIDA handles for its customers every day. We follow a simple, easy to get checklist to guarantee basic API security which we will share in this post. Have an addition or would like to get in touch with us to discuss the reasoning behind it? Just reach out to us, we love to have a chat on these things.
The most basic advice we can give is to add a dedicated API Gateway to your Edge. While a lot of the discussion around API Gateways has shifted to topics like developer experience and monetization of APIs, guaranteeing their security is still at the heart of every gateway available on the market. No matter if you deploy a more senior solution like Broadcom CA’s Layer7 API Gateway or a light-weight cloud native solution like Envoy.
Implementing authentication within every single one of your APIs is just wasting resources and is opening the door to misuse of authentication algorithms or the usage of unsafe default values. Modern gateways have authentication capabilities baked right in and they support a wide range of authentication schemas out of the box. So do yourself a favor and move user authentication to the edge. This does not mean, that you can neglect proper checks for authentication within your APIs, but you can do so in a much more standardized and easier way by having it decoupled from the users’ authentication.
Always check the incoming traffic for conformance on what you expect it to look like. Have a OpenAPI definition for your API? Great, then use it to check all incoming data for conformance before passing it on the upstream systems. Same goes for other popular API specifications like AsyncAPI or the aging (but still alive and kicking) SOAP. If you do not have a specification, we strongly recommend to create one. There are a lot of good (and free) tools out there to get the job done. But even with spec checking in place, handle every input like it is malicious. Check the headers and origin of the traffic and – if in doubt – always decline a request.
There are a lot of certifications out there, that guarantee you get what you buy. That is a API Gateway that adheres to common quality standards and has undergone security audits itself, so that you don’t open up any wholes in your security by using an unsafe gateway at the perimeter of your organization.
Besides technical measures there are also some recommendations for secure process around API management.
Always think about what valid use cases for the usage of a backend could look like. Check if there are calling patterns that differ from this and might be a sign of someone testing out your API security, trying to find a way in.
Not every data that can be exposed to the outside, actually needs to be exposed. Always make sure that you don’t expose data that is not necessarily needed for the use cases the API is designed around. This is especially helpful as being frugal with data is also in line with European data protection laws.
Most APIs are not meant for the public, but are only accessible by a limited number of consumers. The better you know your consumers, the better you can check them. Based on your consumers it might be ok, to just check their API key or to regularly check their certificates’ validity when using mutual TLS.
Make sure that all of your APIs adhere to a common security guideline. Figuring out security measurements for each of your APIs on its own is a recipe for disaster. The guideline should be way to understand and should not only tell people what to do, but also why to do it. This will make sure that people do not sidestep the guidelines because it is more convenient.
Mistakes happen all the time. Some of them have only small effects on your service qualities, mistakes during deployment to processes however bring down your whole API landscape. To mitigate the risk of service outages make sure to automate your deployment processes. Deploy with confidence and let your CI/CD pipelines take over the tedious job of deploying to production.
Monitoring your API gateway is a necessity. The gateways are your first line of defense when it comes to securing your APIs. Monitor for any unexpected numbers and set limits for what is ok and what might become an issue. Unusual usage patterns might be an indication that an attack is happening.