This post provides details on controls to secure Web Application Programming Interfaces.

Introduction

Web Application is a software running on web servers accessible using any form of browsers or web clients. Web Application can be developed using various scripting languages as PHP,Java,Type script, Python, Perl, Ruby, ASP.Net. Application Programming Interface(API) facilitates communication between two different applications through HTTP. API Provider is an organization that expose resources through API. API Consumer develop applications to use APIs. API Endpoint is a URL accessed by API Consumer application to access resources. Various infrastructure components support API endpoints and its access.

API is the new perimeter for all the organizations.

Effective API Security Strategy

  • Know all your published Web APIS. This can be achieved by regular scans through attack surface management tools

  • Maintain and update API inventory and API documentation

  • Choose the right API authentication method and perform multifactor authentication for all the API calls

  • Make sure all your API endpoints perform user authentication and authorization checks before it allows the consumers to access the resources

  • Know your consumer and perform mutual TLS authentication, that requires two-way authentication between the client and the server. With mutual TLS, Clients must verify their identity to access your API with your Web Server with valid digital certificates

  • Perform Authorization checks with user policies and hierarchy

  • Effectively manage all your APIs through API management or gateway solutions

  • Enforce API Governance policies to implement guardrails to follow standards and security policies over the Web APIs

  • Encrypt all API calls and payload response

  • Rotate the API keys periodically, if in case keys are used and secure the keys in a robust key management solutions

  • Extend Zero Trust principles to all your micro services that support API calls

  • Enable Threat protections capabilities in API gateway solutions to monitor all API traffic

  • Regularly perform security testing over the published APIs

  • Assess and remediate web API misconfigurations identified during penetration testing

  • Assess the security posture of API infrastructure, that includes Identity and access management, API gateway, Micro services platform and other network security devices

  • Leverage API gateway solutions to enable features such as geofencing, schema validation and rate limiting

  • Perform data masking and deidentification on the API response over the critical data

  • Enable visibility by monitoring all the components of API infrastructure

  • Create remediation playbook for rapid response over the API breach

  • Create and develop security usecases to detect attacks over web API

  • Implement network segmentation over microservices platform