API security solutions

APIs are unique due to many characteristics. For example, APIs exchange data between systems, whereas web applications are accessed by end users through a web browser. APIs also use a different format to transport data, and access backend systems directly – often serving as the intermediary between modern web apps and their backend databases and servers. Due to these and other differences, the detection methodology for API security differs from web app security, even in overlapping vulnerability categories such as injection attacks and access risks.

There are a few different approaches for organizations to manage all their API growth — full lifecycle API management, API observability, and, more holistically, web application and API protection (WAAP). API observability tools provide observations and insights (rather than security) into the performance of an API. Full lifecycle API management often focuses on API management while lacking in security sophistication. WAAP, or web application and protection, is defined by Gartner as a category of security solutions designed to protect web applications irrespective of their hosted locations. WAAP is most appropriate for APIs in production, real-time monitoring, and protection against abuse, zero-day threats, and attackers.

REST APIs allow a client to request resources from a server, which returns the information to the client in its current state. Attackers can target the API at any point during the REST API “call and response.” Therefore, preventing REST API abuse requires only authorizing authenticated, “good” API traffic, to block requests from illegitimate clients. API authentication and authorization methods include mTLS certificates, JSON web tokens, valid API keys, OAuth 2.0 tokens, and others.

API access keys, which detach authentication from user credentials and instead send secret text strings along with API requests, allow for more secure access to APIs. However, API keys can still face risks from man-in-the-middle attacks, improper developer usage, and problematic storage of secrets in source code. JSON web tokens (JWTs) offer a more secure and flexible alternative to static API keys as long as the JWTs are signed using secure cryptographic algorithms, they avoid sensitive data in the payload, and they enforce token expiration.

Different metrics can help IT, security, and app development stakeholders assess their API security levels. For example, an organization with a robust API security model should have a current API asset inventory that shows all APIs are data compliant and use strong authentication or authorization methods. Audits should also be done to identify exposed/leaked credentials used in API requests, and to scan for identifiable information (PII), credit card data, or personal health care information in API requests/responses. The ability to set adaptive, intelligent rate limits on APIs, as determined by observable traffic patterns for each endpoint— also signals more advanced API security.

API abuse refers to malicious exploitation of APIs by exploiting business logic flaws and application vulnerabilities that obstruct or worsen the user experience for a real user. Most often in today’s APIs, data exposure, unauthorized actions, security controls bypass, service disruption and elevation privileges occur due to lack of authentication and authorization controls known as broken object level authorization (BOLA) and broken function level authorization (BFLA).