What is Application Programming Interface Security?
An Application Programming Interface (API) is a set of rules that enables a software program to transmit data to another software program. APIs enable developers to avoid redundant work by incorporating new and existing applications instead of building and rebuilding application functions that already exist. This is done by formatting requests as the API requires.
OWASP API Security Project explains API security in this way1: “A foundational element of innovation in today’s app-driven world is the API. From banks, retail and transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible. API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs.”
Given the significant consequences of an API security breach, it is crucial that APIs are managed with API security best practices in mind. The following are examples of API security best practices:
Identify risks. Look for vulnerabilities in the API lifecycle that could pose risks to your system. Examples of vulnerabilities may include loose JavaScript Object Notation (JSON) paths or signature-based attacks like Structured Query Language (SQL) injections.
Tokens. Security tokens require authentication on both sides of a communication before it is permitted to proceed. Tokens can control access to network resources by restricting access to only those communication attempts that have the proper tokens.
Encryption. Encryption communications are disguised on one end of the communication, and deciphered at the other end, using a decryption key. Encryption supports API security by ensuring that communications are unreadable by unauthorized users.
Open Authorization and OpenID Connect. Open authorization (OAuth) dictates the client-side application’s access to tokens, and OpenID Connect (OIDC) is an authentication layers that sits atop OAuth, allowing clients to check the identity of the end-user. This ensures communication is only allowed from those with proper tokens and/or credentials.
API gateway. API gateways sit between the client and the collection of services specified on the back end. It serves as a reverse proxy, authenticating as traffic passes through it.
Throttling and quotas. Throttling limits the speed at which data is transferred and quotas limit the amount of data that can be transferred. These strategies provide API security by protecting bandwidth by limiting access to a system.
Zero-trust. The zero-trust security framework presumes that all traffic is untrustworthy, ensuring that only authorized users can access a system.
1 OWASP, 2023, “OWASP API Security Project”