API Security Guide

WordPress powers over 40% of the Internet, which made recent news about an expose API security flaw all the scarier. 

In January 2022, a security researcher discovered over 20,000 WordPress sites were vulnerable to malicious code injection, phishing scams, and site takeovers due to a misconfigured REST API in a WordPress plugin. The purpose of the REST API was to enable users to update their site templates and change settings, but the REST API endpoint had no authentication blocking attackers from using it.

API security flaws like these are not rare. Recently, Gartner predicted that API attacks would become the most frequent vector of attack. This article will explain why API security is essential and which best practices companies can implement to protect their APIs better. 

Why is API security important?

API security is important because if attackers get access and control over an API, they can control the services your APIs connect to and even steal the data an API might be using. APIs are the plumbing of the software world, so access to APIs inevitably means access to any data those APIs are piping from product to product or service to service. Common API types including GraphQL and REST need to be secured to prevent malicious access, check out our guide to building a secure GraphQL API here.

How does API security fit into application security?

Traditionally, the people responsible for API security are security engineers, but in recent years, as companies shift left and implement DevSecOps approaches, developers have been increasingly responsible for API security. Research from 42Crunch, an API security platform, showed that in 44% of companies, the developer team was primarily responsible for API security. 

Though API security is a unique threat, the effort toward securing APIs fits well into modern application security. Applications often include many APIs, so any work toward securing an application must necessarily include securing the APIs an application depends on. 

Common API threats

Common API risks range from implementation errors to a lack of rate limiting. OWASP highlights the ten most common API security threats: 

1. Broken object level authorization

2. Broken user authentication

3. Excessive data exposure

4. Lack of resources and rate limiting

5. Broken function level authentication

6. Mass assignment

7. Security misconfiguration

8. Injection

9. Improper assets management

10. Insufficient logging and monitoring

We analyzed this list in more detail in our OWASP Top 10 API risks article here.

10 API security best practices

1. Use API gateways

An API gateway helps companies route API requests, organize API responses, and manage service level agreements (SLAs). API gateways make APIs easier to use, but they’re also an essential security practice because API gateways provide encryption and access control. 

2. Use authentication properly at all levels

A key API security element is ensuring the right application makes the right request. Three of the most common forms of API authentication are HTTP basic authentication, OAuth authentication, and API key authentication. It’s best to authenticate APIs on all levels and to be wary of how you’re storing your API keys. 

3. Encrypt requests and responses

APIs are often vulnerable to man-in-the-middle attacks, wherein attackers insert themselves into the flow of API traffic and either observe or misdirect it. The best practice here is to encrypt any data transfer from a user to an API server and any data transfer from an API server to a user. With encryption, even if attackers intercept requests or responses, the stolen data is impossible to understand. When setting up API’s, HTTPS should be used everywhere to ensure that data is encrypted.

4. Don’t include unnecessary information in an API

API security follows the “principle of least security,” meaning that you should include only the necessary information – and no more – when building an API. The less information sent, the less significant a data breach will be if one happens.

5. Conduct regular security tests and scan for API vulnerabilities

Even with other API security best practices implemented, companies need to conduct regular security tests and API vulnerability scans. Regular tests and scans would serve even companies that have successfully shifted left. 

6. Collect API log data

Effective application security depends, in part, on effective log ingestion and analysis processes. With an effective logging system, you can log every time an API operation is invoked and track every single API event. This level of granular data can help you detect malicious attacks before they happen and analyze how a malicious attack might have happened after the fact. You should be aware of what data your logs are collecting to ensure that you’re not holding onto sensitive information such as PII and security data.

7. Establish quotas and throttle API requests

One of the oldest cybersecurity attacks, distributed denial of service (DDoS) attacks, can hit APIs too. When a DDoS attack targets an API, it often targets both the server your API is running on as well as every endpoint of the API. To prevent DDoS attacks, establish API traffic quotas, rate limits, and throttle API requests to restrict the flow of API traffic.

8. Educate your team about the OWASP API security top 10

Cybersecurity is largely a game of repetition instead of innovation, meaning that most successful attacks are not the result of innovative attack patterns but are instead the result of exploiting well-known mistakes. Take the time to educate your team about the OWASP API security top ten, a list that outlines the most common API security risks. Snyk Learn also provides free security lessons for developers to help your team learn more about cybersecurity concepts.

9. Validate and sanitize API data

Validating and sanitizing API data ensures incoming API data is what you expect it will be. Validation is when your system checks that the incoming data is in the expected type and format. Sanitization is when your system removes any unsafe characters from the incoming data. 

10. Update API services and documentation

Another core cybersecurity practice that applies to API security is keeping everything up to date. For API security, that includes ensuring the APIs are current, and your API documentation is up to date. 

How Snyk can help with API security

The very power of APIs makes them dangerous, so it’s essential that all companies adopt API security best practices and use any available tools to secure their APIs.

Snyk can help you maintain API security in four ways:

• Many backend API services are built on open source libraries, so use Snyk to scan for vulnerable versions. 

• Developers are frequent users and builders of APIs, so you use Snyk Code to perform static application security testing. 

• Containers are often used to deploy API services, so use Snyk Container scanning to find operating system and runtime vulnerabilities. 

• Backend API services are often deployed to the cloud via infrastructure as code, so use Snyk to ensure your infrastructure as code configuration doesn’t expose any security issues. 

APIs are powerful, so don’t let them get into the wrong hands – use these API security best practices and scanning tools to protect your APIs and all the data they have access to.