Security has become a major headache when it comes to APIs - there’s a reason Gartner says APIs will become the “most frequent attack vector” by 2022. At Achieve Internet, we work with companies across multiple industries and of various sizes to assist them in realizing the technical and business benefits of deploying API management programs. We work with our clients to employ best practices around API development, foundational services, efficient CI/CD processes, and most importantly, security.
Many times, we are engaged with a client that is either mid-project or already in production. In both instances, the client is experiencing difficulty understanding how to configure and/or maintain the management platform to best-practice standards, resulting in deployments that are not fully secure.
Below are the top security oversights we encounter on a consistent basis:
Security Configuration - The most common scenario we encounter with customers who are new to API Management platforms centers around optimum security and authentication configuration. The leading gateways have robust security capabilities that can be implemented in a manner that greatly reduces vulnerabilities across the enterprise digital ecosystem. Additionally, best practices around API key management, password standards, and access token validation are all common oversights. Many times, these capabilities are only partially or erroneously deployed on an ad hoc basis without an overarching security plan due to a lack of internal knowledge of the management platform's security features.
API Development - Not unrelated to configuration, best practices around API Development are paramount to security. In the optimal situation, the API Management Platform can remove a majority of the burden surrounding security off of individual developers and onto standardized security policies enforced by the management program in accordance with a clearly defined API Governance Plan. Additionally, the creation of an “API Styleguide” which can serve as a quick reference for development teams defines the requirements and expectations when building new or modifying existing APIs, as well as reinforcing best practices.
Continuous Security Testing - Given the velocity of change enabled by efficient CI/CD processes and dynamism of API development and refinement in general, the “traditional” once or twice-yearly penetration testing no longer suffices. Achieve engineers are frequently asked, “How do I ensure all of the new APIs we are introducing, with inevitable modifications, are constantly monitored for vulnerabilities?”. As recently as a year ago, the solution to this issue was difficult to find. Luckily, new SaaS-based security platforms allow for penetration testing on-demand and are even able to decipher the business logic of an API for enhanced screening. Additionally, these platforms can also be integrated into CI/CD pipelines to scan for and report any vulnerabilities before production deployment without any intervention needed by the developer or information security team.
API Management Platform Maintenance - Another common security issue Achieve frequently encounters, especially with private cloud/on-premise deployments, is caused by non-existant or only partially completed maintenance activities. The typical symptom of this occurring for a client is the “mysterious” failure of a critical feature or function. When this happens, Achieve is engaged in a platform “health check” to evaluate all of the complex components of the management platform and verity the OS and platform are up to date, caches are being cleared, and routine maintenance is being completed on a regular basis. Often, the biggest threat to security is associated with running an outdated, and potentially unsupported, version of the API management platform or not applying OS security patches and version updates.
While the above is not an exhaustive list, evaluating your API Management Platform and surrounding environment against these common oversights will lead to a more secure and efficient experience for customers, internal development teams, vendors, and business stakeholders alike.
Want more insights into securing your APIs? Join us for our webinar on “How to Incorporate API Security into the Development Cycle” on February 25th!