So you think your APIs are secure?
You might want to take another look at your security.
APIs are everywhere and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments in 2022.
As someone who has spent my entire career in the world of APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.
So let's start with the basics.
The simple answer is that it is about applying and managing security for your APIs but we all know, there is nothing simple about API Security.
In 1983, there was a movie called War Games that was released to theaters. You may have never heard of the movie but it was about a boy, David, played by Matthew Broderick, who hacks into NORAD's Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world, at that time.
According to journalist Fred Kaplan, After seeing a special screening of the movie "War Games", then-President Ronald Reagan asked the US Military Joint Chief of Staff if something like this could really happen. He asked "Could someone just break into our most sensitive computers?" A week later, the General response was:
"The problem is much worse than you think."
From that moment on, U.S. Cybersecurity and defense policy would never be the same.
Fast forward almost 40 years and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks; malicious or not.
What most don't understand is that API security starts with humans not computers.
If someone puts their password on sticky note attached to their monitor, it doesn't matter how many security checks you do, how much security code you have in place, or what different security products you have installed.
There are, however, a lot of things that you can do to protect yourself and minimize damage from this and other forms of social hacking. We will be covering this in upcoming articles of our API Cybersecurity series.
There are some key weapons that you can arm yourself to defend your systems from attacks by API Hackers and intruders. The core to your API security is going to be an API Gateway. An API Gateway can provide protection against a lot of things including Denial of Service attacks. They can also provide API Monitoring, Logging, and API Rate Limiting. They can restrict traffic based on IP addresses and other metadata, handle security token validation, and much more. The API Gateway makes it easy to create, maintain, monitor, and secure your APIs.
The Web Application Firewalls (or WAF) stands between the public traffic and your API Gateway or application. A WAF can give you some additional protection against things like bots by using security rules, machine learning, and sometimes, artificial intelligence. They can provide malicious bot detection, identify attack signatures, provide additional IP Intelligence. A WAF can block bad traffic before it even reaches your Gateway.
Then there are also stand-alone security products. These products support features that can be broken down into categories such as realtime protection, static code and vulnerability scanning, build-time checking, and security fuzzing.
Many of the security products in the market will support features in some or all of these categories.
Last of all, we have security that is implemented internal to the API or applications themselves. I am not going to go into this very much on this article but I will simply point out the resources required to ensure that all the security is properly implemented in your API code can be difficult to apply consistently across your entire API Portfolio.
With any security feature or product, it is important to remember that security is a moving target. You want to know that the product (or products) that you use will stay up-to-date in protecting you against the latest vulnerabilities.
But doesn't an API Gateway implement "Security as a Feature"? Yes. And it is a critical part of your API Management security strategy. API Gateways integrate with and work well with standalone API security products and Web Application Firewalls to provide solid and comprehensive protection for your APIs. Leaving out the core part of your API security strategy, such as an API Gateway, a component that probably knows more about your APIs and the context of your traffic than any other system, is a really bad idea.
If you only focus is on using Web Application Firewalls or external security products and you ignore (or mis-configure) the protection provided by your API Gateway security, you could be leaving yourself wide-open for an attack.
Don't leave yourself vulnerable!
All of this only reinforces the fact that there is not a one-size-fits-all solution for API Security. You can't just buy an "API security black box" from Best Buy, plug it in, and suddenly everything is protected.
To implement a proper API Security Solution, it is important to understand your APIs, the 3rd-Party APIs you use, and the functionality and value your APIs are adding to your organization. This will help you better grasp how API Security ties into integrations with your partners and users. API Security is still one area that will require you to spend some time and resources to ensure it is implemented, (and CONTINUES to be implemented) correctly.
When you are looking at your API ecosystem, don't forget about API Integrations and the 3rd Party APIs that you will be integrating with. If these 3rd Party APIS, or the integrations themselves are insecure, your data, internal systems, and APIs could be compromised. Using a solid API Integration solution (like Software AG's webMethods.io) with a proven track record can not only protect your API Integrations but work seamlessly with your API Gateway platform.
To better equip organizations and individuals better protect themselves and their APIs, We've created a new series called API Cybersecurity 101. The purpose of this series of videos and blog posts is to educate and equip everyone from developers to executives with the resources you need to shield and protect your APIs. You can checkout our API Cybersecurity video series on YouTube on the API Shorts channel: https://youtube.com/apishorts
Brenton House is Vice President of Digital Evangelism at Software AG. As an API and Digital Transformation Evangelist and Strategist, he has connected enterprises with API solutions and microservices, to help drive innovation and overall business growth for many organizations.
In his 25+ years of experience, he has worked across many industries including broadcasting, advertising, retail, financial services, supply chain, transportation, technology, and publishing -- gaining a breadth of knowledge on all things APIs and Integrations. His diverse experience set and unique creative skill sets have enabled him to equip organizations in creating captivating and innovative products that delight users.
⭐ Software AG Blog ▪ https://blog.softwareag.com
⭐ API Knowledge Portal ▪ https://knowledge.softwareag.com
⭐ Software AG Tech Community ▪ https://techcommunity.softwareag.com/
🎬 Software AG YouTube Channel ▪ https://youtube.com/softwareag
🎬 Brenton House's YouTube Channel ▪ https://youtube.com/brentonhouse
🎬 API Shorts YouTube Channel ▪ https://youtube.com/apishorts
👇👇👇 FREE online API Maturity assessment here! 👇👇👇