When talking about API security, some people just want to turn on a switch and would like to get a green light on being secure. Unfortunately “there is no free lunch” when it comes to the security of APIs, as shown in this API security scenario.
Good API security tactics combined with new technology can provide some ways to get more secure and mitigate API security risks. This is not a one-time effort, it’s a process.
However, there are different best practices you can and should use in combination.
API security tactic #1 – Monitoring
You cannot react to something that you cannot see. Make sure you have proper monitoring and logging in place to see what’s happening on your APIs. An API monitoring solution does not help you preventing an attack but it allows you to see them.
API security tactic #2 – Quota and Traffic Limits
The first line of defense besides network firewalls should be proper API quota and API traffic limits to protect your backends from not being overloaded.
API security tactic #3 – Applying a Policy or Ruleset
Define known patterns (Headers, Content Types, Payload, Maximum Size etc.) and make sure unknown patterns are sorted out and denied before they hit your backend. This can be achieved with an API Gateway or API Proxy.
API security tactic #4 – Enabling an API Firewall
Some attacks are happening with the help of bots checking parts of the internet for certain patterns. For example, they try to use XSS (Cross Side Scripting) or SQL Injection with search fields on your website or developer portal or even API to see if your system is dealing with them properly. A good way to defend these attacks to work with an API firewall. These firewalls are usually pattern based and work with a definition file provided by a vendor or security specialist. If there are new attacks then the pattern or definition file gets updated and the firewall can apply it just by reloading the definition file. Same principle as with antivirus and antimalware tools. Patterns sometimes cause false positive detection so it’s good to do regular tests when the pattern is changed.
API security tactic #5 – Behavioral protection
The next level is behavioral protection. As of today, there are a limited set of vendors being able to provide such tools. Elastic Beam is one of them providing Machine Learning based API Security. My college Daniel Wille wrote an extensive blog post about it which is worth reading. They have an API which you can feed with information about your API calls including Header, Cookie Information, Source IP etc. and if the Elastic Beam engine detects an abnormal behavior like API calls which usually come from Germany now coming from China using the same authentication, the engine provides an online response raising concerns. If you have a powerful API Gateway or API Management in place you can extract the information from your API calls and put this engine / API inline with your traffic. The advantage of this combination is that the only traffic you select is going to be sent to the Security Engine for further analysis and decision. This can be a powerful extension to existing setups in not only critical environments like Banks, Federal and Public but also in the emerging IoT space – see the IoT API article.
I’m sure that Content Delivery Networks and Security providers like Akamai start to rush providing similar capabilities soon now as Machine Learning and Artificial Intelligence are on the up curve and at the same time available for a broader audience for a low cost.
API security tactic #6 – Chaos Testing
Even further bigger users of APIs have started to apply a strategy of Chaos Testing and applying it to their Security Concept. Netflix has even done a DDOS attack to themselves to check and validate if their security processes and countermeasures are working correctly. Looking at those tools is an interesting exercise and provides some insights to existing setups and processes gaps and misunderstandings.
This is for sure the most interesting recent development in this space and there is more to come i’m sure!