What is API security?
API security refers to the implementation of security controls that are meant to protect organizations, their people, and their data from the evolving API (application programming interface) threat landscape.
FAQ
How do I secure an API?
It’s important to first understand the methods of discovery, testing, and protection for web applications and APIs. One way to look at APIs is as an extension of the visible application attack surface, with three core areas being most important for knowing and securing applications that rely on APIs:
API Discovery
Organizations can identify APIs that are used to compose and integrate applications and data, finding internal and external APIs that are exposed and consumed. Multiple API discovery methods exist, including crawling for endpoints and spec files, analyzing API traffic, and interfacing with API management tools.
API Security Testing
Known API endpoints are tested manually or through automated scanning to find vulnerabilities either in the API itself or in the backend application. Due to the large numbers of endpoints and parameters to be tested–growing faster due to the use of AI coding assistants–dynamic application security testing (DAST) tools are increasingly used to automate the process.
API Protection
It is common to use API gateways as a single point of access that puts multiple security measures between an API and potential attackers, including rate limiting, load balancing, and API traffic filtering using a web application firewall (WAF).
Some organizations also implement API posture management (sometimes called classification or categorization) by labeling API endpoints for more effective remediation of newly-identified vulnerabilities. Additionally, API access control is often part of API security strategies and involves defining users and application access for specific APIs so that security has more control over these environments.
Why is API security important?
As a field of web application security, API security is crucial for protecting modern applications that commonly rely on web services communicating via APIs to exchange data with users and other systems. For microservice architectures, entire apps are built using loosely coupled services that rely on API calls for external and also internal communication.
As developers are pushed to build applications and APIs more and more quickly, the use of AI coding assistants is on the rise. Looking at this from a security lens, that means more and more vulnerabilities are introduced into API code as these AI tools lack the necessary security awareness to support security coding practices effectively.
Compared to user interfaces, APIs provide a less visible way for attackers to access application data, including potentially sensitive information. This makes APIs a prime target and a significant source of data breaches that lead to business and personal data exposure. When you factor in the millions of IoT (Internet of Things) devices worldwide that rely on web APIs, successful API attacks can even allow malicious hackers to compromise some physical security measures or use internet-facing devices as entry points into internal systems.
What are the most common types of APIs?
REST APIs are by far the most common API type, used by over 85% of organizations that work with APIs according to a 2023 report. REST (REpresentational State Transfer) is not a strict protocol but an architectural style for building web applications and services, with JSON being the typical data interchange format.
In contrast, SOAP (Simple Object Access Protocol) is an XML-based API type where requests have to conform to a predefined schema. While less common than REST and slowly declining in popularity compared to GraphQL, SOAP APIs are still used in business applications.
A relative newcomer compared to REST and SOAP, GraphQL is a data query and manipulation language for building database access APIs that is rapidly gaining popularity, with up to 30% of organizations reporting they have some GraphQL APIs as of 2023.
Also worth mentioning is gRPC—a specialized API format designed specifically for high-performance microservice-based applications but also gaining popularity for mobile application backends. According to the same report, just over 10% of API developers were building with gRPC in 2023.
What API vulnerabilities are there?
An application programming interface only serves as an intermediate layer for accessing an underlying application or system. This means you always have to think about API vulnerabilities on two levels:
- Vulnerabilities in the API itself: Only authorized and valid API requests should be passed on to the application. Compromising API safeguards allows attackers to break or bypass authorization, gain access to an API, and send malicious requests to the app. API vulnerabilities include weak or unprotected API keys, broken authentication mechanisms, failure to enforce end-to-end API traffic encryption with SSL/TLS (Transport Layer Security), and susceptibility to DDoS (Distributed Denial of Service) attacks through inadequate rate limiting.
- Vulnerabilities in the underlying application: To an attacker, an API endpoint is merely an extra application surface to probe and attack. Once API-level protections are broken or bypassed, malicious actors can target many common security vulnerabilities through API calls to attempt injection attacks such as SQL injection, command injection, and cross-site scripting (XSS). Server-side request forgery (SSRF) vulnerabilities are especially dangerous in the context of APIs as they can expose access to backend systems that weren’t supposed to be public-facing.
What are the most common API security risks?
Vulnerable APIs can add a wide variety of security risks to your overall cybersecurity picture. The API Security Top 10 maintained by OWASP (the Open Web Application Security Project) is a popular resource that lists the most common API risk categories but focuses mostly on secure API design. A broader approach is to think of API security risks as being related to:
- Authorizing and authenticating access: Authorization failures can occur on the level of objects (broken object-level authorization, aka BOLA), object properties, and app functions (broken function-level authorization). Broken authentication is another major risk category, with unauthenticated API endpoints being a common data breach vector for sensitive data exposure.
- Limiting access: All API access must be constrained and managed to mitigate security threats such as server resource exhaustion, mass data extraction, and other attempts to abuse API functionality, for example through brute-force enumeration.
- Inventory management: Running unmaintained old versions of endpoints or entire APIs provides threat actors with an easy starting point, greatly increasing the risk of unauthorized access. Ideally, organizations should know and document all their APIs and endpoints, both private and public, though this is rarely achieved in practice.
- Configuration: Security misconfigurations, most notably misconfigured security headers, are a common source of risk for web applications and APIs alike, introducing security risks that are beyond developer control.
- Security vulnerabilities: API attacks are often only one small part of a larger application attack targeting specific security flaws. SSRF vulnerabilities can be especially impactful, allowing attackers to manipulate URLs to get access to remote resources via APIs.
API security best practices
- Formulate and enforce an API security strategy that includes API discovery, management, inventory, protection, and secure design.
- Use industry-standard security solutions from trusted providers to provide runtime protection for any large production APIs, including access control and automated traffic filtering and throttling.
- Use centralized asset management to help security teams and developers keep track of active APIs and current API definitions, including a centralized and automated process for enrolling and decommissioning APIs.
- Define security standards for API design and development that include approved design patterns and security controls.
- Follow zero trust principles by never blindly assuming that API user authentication will be handled elsewhere.
- Treat APIs like another application attack surface that needs consistent and continuous security testing as part of the software development lifecycle.
- Follow secure coding practices to minimize app and API risks. These should include input validation for all API inputs and protecting object identifiers to prevent IDOR vulnerabilities.
- Embed API security testing into existing DevOps pipelines by integrating security testing solutions with your existing issue trackers and collaboration tools.
Combining web application and
API security testing using DAST
APIs provide a standardized abstraction layer for accessing an underlying service, system, or application. You might not have direct access to the software behind the API or its source code, so the vast majority of API testing has to be dynamic—and that includes security testing. This makes dynamic application security testing (DAST) tools a natural choice for probing both the API and the GUI of an app, but very few vulnerability scanners are mature and accurate enough to fill this role.
Invicti was the first DAST vendor to build API scanning into its products and continues to lead the market in web app and API testing accuracy, coverage, and automation. Invicti Enterprise comes with a host of features and capabilities for automated API security testing, including:
- Support for REST, SOAP, and GraphQL API definitions.
- Multi-faceted endpoint and definition discovery for REST APIs.
- Fully automated authenticated scanning across web apps and APIs, including OAuth single sign-on.
- Centralized visibility of API endpoints and vulnerabilities as part of the overall web application attack surface.
- Automatic URL rewriting to enumerate and test predictable endpoints discovered during crawling.
- Hundreds of mature security checks to safely and accurately detect security issues in websites, applications, and APIs.