There is indeed some catching up to do!

Enterprise security must catch up with API innovation

Bernard Harguindeguy
© Shutterstock / Panchenko Vladimir  

When it comes to API security, even companies with world-class security teams like Facebook and Google are getting caught off guard. In this article, Bernard Harguindeguy offers 12 must-have best practices for protecting API infrastructure from hacking and abuses.

API security is now mission-critical for every organization – yet many still struggle to get it right.

In fact, even companies with world-class security teams like Facebook and Google are getting caught off guard.  

In recent months, we’ve learned that faulty API deployments at both companies exposed vast stores of sensitive account information – 30 million users were affected at Facebook, and 500,000 at Google. Worse yet, their security teams were in the dark for ages. In the case of Facebook, it took 14 months to spot the API vulnerability; three years for Google. 

What’s going on here? It’s complicated. 

While every new wave of technology creates new security challenges, the proliferation of APIs in recent years is unlike anything we’ve seen before. For one, businesses today are adopting APIs at an extraordinary speed. That’s cause for trouble because the attack surface a company must defend expands exponentially with every new API it deploys and enterprise security teams are already stretched dangerously thin, to begin with. Second – and far more concerning – is the fact that most companies don’t have any visibility into their APIs. That’s a huge risk, especially when you consider that APIs often plug deep into an organization’s core systems and databases. 

What can you do about it? Based on 20+ years of experience in DevSecOps, here are 12 must-have best practices for protecting API infrastructure from hacking and abuses.

1. Assemble a team to oversee API security

DevOps teams racing to keep up with the speed of modern business can unwittingly leave APIs open to attack. What’s needed is a special team embedded in DevOps whose sole purpose is providing oversight for API security. In particular, this team delivers guidance on proper API security design techniques, as well as deploying solutions and processes to track API activity and block threats.

2. Regularly test APIs for vulnerabilities

Don’t wait for hackers to find vulnerabilities in your APIs – bring your security and DevOps teams together regularly to test them. Involving API developers in the process is critical, as they will have the best sense of where to find potential weak spots and vulnerabilities.

3. Adopt a “continuous security” mindset

Engineering teams practicing continuous delivery must also adhere to a “continuous security” mindset throughout the development lifecycle. The best way to prevent API vulnerabilities is by developing code that is secure by design. Inserting API security expertise within DevOps teams can help. 

4. Automate security scans, tests, and monitoring

When it comes to regularly scanning, testing and monitoring APIs for vulnerabilities, there is no substitute for automation. Humans are fallible and there is no room for error. Even if you have the best team and practices in place, all it takes is one day where someone is tired or absent-minded to end up with critical API vulnerability buried deep in the code. Artificial intelligence, on the other hand, never gets tired – its performance only improves over time. The goal is recognizing and responding to attacks that fly under the radar of traditional API security measures. 

5. Monitor API activity for anomalous behavior

Lack of visibility into API activity remains a huge blind spot for many companies today, and that’s just asking for trouble. In fact, it’s one of the key reasons why so many breaches go undetected for months or years despite ongoing data theft. How do you gain visibility into API access attempts and sessions? Start capturing audit trails from your API gateway on a regular basis – along with system and application data logs – and rigorously compare them to root out anomalous behavior. While solutions like PingIntelligence for APIs can automate much of this process, it can also be done manually. If you follow the manual approach, don’t get discouraged by how long it takes. Remember that even if it takes a month to comb through and correlate all of the data, it’s still better than leaving a back door open for 14 months.

6. Authentication and authorization at every tier

When hackers reverse-engineer APIs, they are looking for ways to force an API into a state where data can be captured without having to show credentials. Adding security measures like multi-factor authentication, continuous authentication and authorization, and properly validating tokens/cookies at every tier can have a major impact on your security posture. 

7. Flow control and TLS encryption at all times

Man-in-the-middle attacks are another common way hackers steal data through APIs. Utilizing flow control and TLS encryption can prevent DoS attacks and keep data from being intercepted, eavesdropped on or otherwise tampered with en route. 

SEE ALSO: Safely play around with new software in Google’s open source Sandboxed API

8. Stop app servers from sending error messages with system traces

This is one best practice that DevOps teams routinely overlook. When developing and debugging APIs, traces are often created automatically and then forgotten about. These error messages frequently contain valuable IP addresses, system names, and other data that hackers can find and leverage by forcing errors when probing APIs. 

9. NEVER register internal API names in a public DNS

Registering internal APIs on public DNS servers is a classic mistake I see all the time. Not only does this expose your internal APIs, it makes future name changes difficult because it requires updating the DNS servers as well. Instead, keep all API names internal and map them to external names designed for use with public DNS. 

10. Operate as though all APIs are externally facing

Keeping internal APIs off public DNS servers is an important best practice, but that alone doesn’t ensure their security. The safest approach is treating every API as though it is externally facing – because on some level they are. That is, while they may not be openly external, there are only a few steps between a motivated hacker and an internal API. 

11. Track ALL APIs

At the pace of modern engineering, forgetting about an API is easier than you might think. That’s why it’s important to use tools for automatically discovering APIs to ensure they are never forgotten, especially APIs used for testing or maintaining backward compatibility when phasing in new applications. This is exactly what happened to Facebook in the API breach noted earlier. 

12. Leverage new technology – and keep updating it

Hackers have a major advantage over many enterprises: they can adopt advanced new technology in a moment’s notice – no paperwork or approvals required. They know that most enterprises are slow to adopt new technology and are increasingly turning to highly-sophisticated artificial intelligence and machine learning tools in their attempts to breach targets. It’s an arms race, and the only way to give your company a fighting chance is to keep up with technology as it advances.  For API security, leveraging new technology for tracking API traffic and detecting anomalies automatically can go a long way to thwart bad actors with advanced tech. 


Bernard Harguindeguy

Bernard joined Ping by way of the Elastic Beam acquisition, where he was the founder and CEO. Elastic Beam built the first hybrid cloud solution that used advanced AI techniques to deliver deep visibility into API activity and stop cyberattacks. Most recently he was Chairman, President and CEO at Atlantis Computing (award-winning storage optimization software) and the CEO of Green Border which was acquired by Google. Bernard was also the Chairman of Booshaka acquired by Sprinkler, Chairman of Norskale acquired by Citrix, Chairman of BorderWare acquired by WatchGuard, Board Member at Sygate Technologies acquired by Symantec. Bernard earned a MS in Engineering Management from Stanford University and a BS in Electrical Engineering from the University of California Irvine where he was inducted into the Engineering Hall of Fame.

Inline Feedbacks
View all comments