A day doesn't go by where some API is in the news because of a vulnerability or leaked data. More than ever before, organizations are placing a renewed emphasis on API Security and Cybersecurity.
APIs are everywhere and API Security is of the utmost importance for every organization. According to a recent Gartner CIO and Technical Executive survey, Cyber and Information security are at the top of the list for planned investments in 2022.
As someone who has spent my entire career in the world of APIs and Internet applications, I have seen first-hand the vulnerabilities that can exist with APIs.
This is part of the API Cybersecurity 101 series by Senior API Strategist, Brenton House.
What is an API?
The acronym API stands for Application Programming Interface. Basically, it is non-human systems (or applications) that talk to each other in an agreed-upon way! Most often, people are talking about Web APIs, which includes things like REST, GraphQL, gRPC, SOAP, etc. The introduction of smartphones caused an exponential growth and adoption of APIs as pretty much every single mobile application uses APIs.
What is API Security?
The simple answer is that it is about applying and managing security for your APIs but we all know, there is nothing simple about API Security.
In 1983, there was a movie called War Games that was released to theaters. You may have never heard of the movie but it was about a boy, David, played by Matthew Broderick, who hacks into NORAD’s Military Computer System and accidentally ALMOST starts World War III. The movie got the attention of the most powerful man in the world, at that time.
“The problem is much worse than you think.”
From that moment on, U.S. Cybersecurity and Defense policy would never be the same.
Fast forward almost 40 years and everyone with a smartphone has a computer more powerful than any supercomputer that existed at that time. YouTube is now full of free videos and training on how to code and become a serious developer (or a hacker). What that means is that almost anyone, from anywhere, in any country, could be trying to get into your APIs and systems TODAY. Everyone needs to be educated and prepared to defend against API attacks; malicious or not.
What most don’t understand is that API security starts with humans, not computers.
If someone puts their password on a sticky note attached to their monitor, it doesn’t matter how many security checks you do, how much security code you have in place, or what different security products you have installed.
There are, however, a lot of things that you can do to protect yourself and minimize damage from this and other forms of social hacking. We will be covering this in upcoming articles of our API Cybersecurity series.
OWASP Top 10 List for API Security
One thing you might have heard of and need to pay attention to is OWASP.
OWASP is the Open Web Application Security Project.
It’s an international non-profit organization dedicated to web application security.
What they are probably most well-known for is their re-occurring Top 10 list of Web Vulnerabilities.
But in addition to their lists of web vulnerabilities, they also came out with a Top 10 list for API Security. Now it is a few years old but all of these are still important factors to consider with your API Security.
The latest OWASP API Security Top 10 list includes:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Assets Management
- API10:2019 Insufficient Logging & Monitoring
Inside these topics, you are going to discover even more details that you need to be familiar with and understand.
- API Keys
- API Logging
- API Injections
- API Hackers
- Zero Trust APIs
- Shadow APIs
- API Access Control
- API Security Testing
- OAuth and OpenID Connect
- Identity and Access Management
- Multi-Factor Authentication
- API Observation
- API Threat Detection
- And more…
- Understanding API First Strategy and Benefits
- Frankenstein APIs Explained! - API Cyber Security Series
- API Security 101 - Cyber Security Explained
- API Trends 2022 - API Security and Cybersecurity
- API Trends 2022 - Seamless Integration Solutions
- API Trends 2022 - Adaptive API Management
- API Trends 2022 - API Integration Automation
- API Trends 2022 - Industry Specific Breakouts
- API Trends 2022 - API Best Practices
- API Trends 2022 - Open API Standards
- API Trends 2022 - API Integration Experience
- API Trends 2022 - API-Led Modernization
- API Trends 2022 - API Economy Growth
- Brenton House - Give your App and APIs a Turbo Boost – Part 2
- Easily Enable Speech Recognition in Titanium iOS using Hyperloop
- adaptive api management
- api automation
- api best practices
- api economy
- api experience
- api first
- api integration
- api integrations
- api management
- api security
- api standards
- api strategy
- api trends
- Brenton House
- Cisco VPN
- Community News
- Continuous Integration
- fhir apis
- Free Stuff
- General Software Development
- Google Drive
- healthcare apis
- json schema
- Live Mesh
- Mac OS X
- mobile api
- open banking
- Other Stuff
- Team Systems
- titanium native
- titanium turbo
- Unit Testing
- Visual Studio
- Visual Studio 11
- Windows 7
- Windows 8
- windows update