If you are familiar with platform security policies, chances are you’ve heard of the Open Web Application Security Project (OWASP). This non-profit organization focuses on improving software security and makes it a primary mission to ensure software security is visible, which makes it easier for organizations and individuals to make informed decisions with their software by distributing information about AppSec to users across the globe.
The increasing use of mobile devices, coupled with more application services and integrations, micro-services, and clouds, are drastically changing the landscape of security. OWASP issues a top 10 standard set of rules that are applied to security policies across various platforms, and the most recent list, published in 2017, presents notable changes that reflect these increases. The most evident change is the inclusion of OWASP A10 — under-protected application programming interfaces, or APIs for short.
Why Is API Security Important?
APIs contain programming standards, instructions, and protocols that allow two applications to communicate with one another. Essentially, APIs serve as a bridge that ensures proper and consistent communication between two systems.
Millions of applications communicate back and forth on a daily basis, which is why API security is a crucial part of API development. In fact, 75 percent of organizations say API security is a CIO-level concern, according to a survey of 1,200 IT professionals by software provider Akana.
Also, according to Persistence Market Research, the cloud API market is forecast to grow 19.6 percent between 2016 and 2026, reaching $1.7739 billion. Combined with the steady increase in cyber threat perception, it’s more important than ever for companies to develop thorough API security strategies.
Working to Improve Your Organization’s Security
Systems that host public APIs have to deal with heavy loads of traffic daily. Although most of the traffic is legitimate, some of it is not. The best way to protect your system without overburdening the legitimate users is to evaluate the behavior and identify potential problematic traffic.
API security works in the same manner by using rules and algorithms that evaluate client sessions. APIs ask simple questions that evaluate how clients are behaving, what they are doing, and whether there are unusual error rates or repeated behavior in short periods of time.
Machine-based mechanisms are often used to answer these questions to identify and deter malicious API client practices. Standard web approaches typically don’t function properly with APIs simply because hackers continuously work to develop new attack methods. Hackers know standard DoS attacks don’t work, so they distribute hacking attempts across bots that hide alongside legitimate traffic to sneak them through the system undetected.
To detect these bad apples, it’s necessary to set up a machine learning-based system that understands API traffic extremely well, and the system must have a thorough understanding of API keys, access tokens, and what the typical request context is on any payload such as a Leaseweb cybersecurity solution.
What You Can Do Right Now
There are several things you can do right now to protect your system from potentially damaging attacks. Start by using HTTPS, if you’re not already, to ensure proper authentication and authorization. Then adjust your SDLC so it includes rigorous API security testing and validation, primarily focusing on input validation.
Also, ensure that all servers are running on regularly-patched OS versions that are stable and include carefully configured security groups. Role-based access control and VPC isolation across environments can also help prevent attacks and improve responses.
Finally, having a pre-documented response policy for security incidents will help your company establish a secure development environment that is properly maintained at all times.
Performing routine API audits and testing will help you continually improve the API development and ensure your web services are protected against DDoS attacks and malicious bots — without sacrificing the experience of legitimate API traffic. Employing these techniques will help you validate API requests and determine which ones are legitimate in order to reduce or eliminate API attacks entirely.