Application programming interfaces (APIs) have sped up application delivery by enabling software automation and programmability of services, and have become a mainstay practice for any business with workloads in the cloud. As businesses make their APIs publicly available to increase their touchpoints with customers, this introduces new vulnerabilities that expose applications to malicious users, unauthorized access, and potential attacks.
How Does API Communication Work?
APIs relay web requests between servers and client-side applications (which can include websites, mobile apps, desktop apps, or connected devices associated with internet of things (IoT)). Data is communicated through JSON or XML messages which target specific functions of the application, and all messages are interchanged through an API gateway. These processes are transparent to the end user.
By acting as an intermediary between two applications, the major advantage of APIs it that they allow for the decoupling of application functions and consumption agents. This is because APIs allow users to abstract the operational details of an application’s infrastructure and networking components, and focus solely on the speedy delivery of services.
Why Secure API Gateways?
API security starts with protecting API gateways, which are uniquely vulnerable to attacks for several reasons:
- API gateways act as a single point of entry for incoming requests from clients
- They act as a mediation layer which authenticates and routes calls from client to server
- Because APIs act at the function layer, and not the infrastructure layer, they widen the spread of vulnerable nodes for hackers to target
Best Practices for Ensuring API Security
There are several key areas to focus on when selecting a WAF solution that best meets the needs for API security:
- Block malicious bots and DDoS attacks—As APIs represent a gateway to your computing resources, malicious users can attempt use this gateway to probe your network and attempt to run automated (bot) attacks. Several ways to prevent this are by blocking malicious IP addresses, monitoring for known bad sources, and setting rate limits.
- OWASP Top 10 protection—API content is still subject to the same vulnerabilities as traditional web applications, which makes it imperative to continue to defend against OWASP Top 10 threats such as cross-site scripting (XSS) and SQL injection (SQLi).
- Protect against parameter tampering and malicious fields—To ensure safe communication, your security solution should profile API calls for potential tampering and malformed calls, and also inspect requests for compliance.
- Enforce encryption—Publicly accessible APIs are more susceptible to unauthorized access to computing resources because the user base is broadly opened up with the availability of downloadable software development kits (SDKs) and resources. This makes it imperative for organizations to protect their data by encrypting API communication between clients and servers. This can be achieved by enforcing TLS communication and SSL authentication between applications.
- Access control—When opening up APIs to a broad customer base, tracking and controlling access to APIs is essential as both a preventative and proactive security approach. Maintaining user access controls by requiring that users authenticate their identity and having means to monitor user activity is an effective way to block unauthorized users and log sources of attack.
Learn how Imperva solutions can help you achieve API security and protect your network.