Question: How can organizations make sure their APIs are resistant to compromise, in the face of increased API-based attacks?
Rory Blundell, founder and CEO of Gravitee: Businesses of all sizes and across all industries routinely rely on internal APIs to unite their line-of-business apps, and on external APIs to share data or services with vendors, customers, or partners. Because a single API may have access to multiple applications or services, compromising the API is an easy way to compromise a broad set of business assets with minimal effort.
APIs have become a popular attack vector, and the frequency of API attacks has increased by an astounding 681%, according to recent research from Salt Labs. The first step in securing your APIs is to follow best practices, such as those that OWASP recommends to protect against common API security risks.
However, basic API security practices are not enough to keep IT resources safe. Businesses should take the following additional steps to protect their APIs.
1. Adopt Risk-Based Authentication
Businesses should adopt risk-based authentication policies, which allow enforce security protections in instances of heightened risk. For example, an API client with a long record of issuing legitimate requests that follow a predictable pattern might not need to go through the same level of authentication for each request as a new client who has never connected before. But if the longtime API client’s access pattern changes — if, for instance, the client suddenly begins issuing requests from a different IP address — requiring more rigorous authentication would be a smart way to ensure that the requests don’t come from a compromised client.
2. Add Biometric Authentication
Although tokens remain important as a basic means of authenticating clients and requests, they can be stolen. For that reason, coupling token-based authentication with biometric authentication is a smart way to enhance API security. Rather than assuming that anyone who possesses an API token is a valid user, developers should design applications so that users also have to authenticate using fingerprints, face scans, or a similar method, at least in higher-risk contexts.
3. Enforce Authentication Externally
The more complex your API authentication schemes become, the harder it is to enforce security requirements within your application itself. For that reason, developers should strive to decouple API security rules from application logic and instead use external tools, like API gateways, to enforce security requirements. This approach makes API security policies more scalable and flexible because they can be easily implemented and updated within API gateways, rather through application source code. And most importantly, it lets you apply different rules to different users or requests based on varying risk profiles.
4. Balance API Security With Usability
It’s important not to let security become the enemy of usability. If you make API authentication measures too intrusive or burdensome, your users might abandon your APIs, which is the opposite of what you want to happen. Avoid this by ensuring that API security rules are strict when there is a reason for them to be, but without imposing unnecessary requirements.
Attacks targeting APIs show no sign of slowing down. When designing and securing APIs, developers should go beyond OWASP recommendations to make it harder to exploit the API.
