API Security 101 - Cyber Security Explained

API Security and Cybersecurity 101 with Brenton House

A day doesn't go by where some API is in the news because of a vulnerability or leaked data.  More than ever before, organizations are placing a renewed emphasis on API Security and Cybersecurity.

APIs are everywhere and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments in 2022.

As someone who has spent my entire career in the world of APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.

This is part of the API Cybersecurity 101 series by Senior API Strategist, Brenton House.

What is an API?

The acronym API stands for Application Programming Interface. Basically, it is non-human systems (or applications) that talk to each other in an agreed-upon way! Most often, people are talking about Web APIs, which includes things like REST, GraphQL, gRPC, SOAP, etc. The introduction of smartphones caused an exponential growth and adoption of APIs as pretty much every single mobile application uses APIs.

What is API Security?

The simple answer is that it is about applying and managing security for your APIs but we all know, there is nothing simple about API Security.

In 1983, there was a movie called War Games that was released to theaters. You may have never heard of the movie but it was about a boy, David, played by Matthew Broderick, who hacks into NORAD’s Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world, at that time.

According to journalist Fred Kaplan, After seeing a special screening of the movie “War Games”, then-President Ronald Reagan asked the U.S. Military Joint Chief of Staff if something like this could really happen. He asked, “Could someone just break into our most sensitive computers?” A week later, the General response was:

“The problem is much worse than you think.”

From that moment on, U.S. Cybersecurity and Defense policy would never be the same.

Fast forward almost 40 years and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks; malicious or not.

What most don’t understand is that API security starts with humans, not computers.

If someone puts their password on a sticky note attached to their monitor, it doesn’t matter how many security checks you do, how much security code you have in place, or what different security products you have installed.

There are, however, a lot of things that you can do to protect yourself and minimize damage from this and other forms of social hacking. We will be covering this in upcoming articles of our API Cybersecurity series.

OWASP Top 10 List for API Security

One thing you might have heard of and need to pay attention to is OWASP.

OWASP is the Open Web Application Security Project.

It’s an international non-profit organization dedicated to web application security.

What they are probably most well-known for is their re-occurring Top 10 list of Web Vulnerabilities.

But in addition to their lists of web vulnerabilities, they also came out with a Top 10 list for API Security. Now it is a few years old but all of these are still important factors to consider with your API Security.

The latest OWASP API Security Top 10 list includes:

  • API1:2019 Broken Object Level Authorization
  • API2:2019 Broken User Authentication
  • API3:2019 Excessive Data Exposure
  • API4:2019 Lack of Resources & Rate Limiting
  • API5:2019 Broken Function Level Authorization
  • API6:2019 Mass Assignment
  • API7:2019 Security Misconfiguration
  • API8:2019 Injection
  • API9:2019 Improper Assets Management
  • API10:2019 Insufficient Logging & Monitoring

Inside these topics, you are going to discover even more details that you need to be familiar with and understand.

  • API Keys
  • API Logging
  • API Injections
  • API Hackers
  • Zero Trust APIs
  • Shadow APIs
  • API Access Control
  • API Security Testing
  • JWTs
  • OAuth and OpenID Connect
  • Identity and Access Management
  • Multi-Factor Authentication
  • API Observation
  • API Threat Detection
  • And more…

Read the complete article on API Security and API Cybersecurity 101 here!

Recent Posts

Tag Cloud

No Comments