Best practices for a secure API infrastructure

Apply the proper API security checks to protect this increasingly popular communication channel

As the API attack surface has grown, hackers are taking advantage of more opportunities to access sensitive data through various entry points. Hackers know that organizations struggle with implementing API security measures, and they exploit those weaknesses. Read about the best practices for stopping them. 

Given the start reality of security threats, which are sure to become even more sophisticated over time, what can your IT teams do to shore up API protection? Try these best practices.

1. Be aware of the APIs you have

Organizations can only protect APIs that are on their radar. To avoid APIs falling through the cracks and outside defined processes and tools, you must establish a central access point for all APIs.  One way IT teams can do this is to gather all known APIs into an API marketplace where APIs can be productized and more easily tracked.  This practice can enhance your control, visibility, and security over APIs. In addition, developers can be more agile since the gateway will protect their code.

2. Apply a multi-layered security approach

API transaction processing involves multiple layers of security. To prevent costly breaches, API managers must regularly review and update their software stack to support defense at each level:

• Infrastructure level. Keep updated versions of libraries on which API processing relies. Establish specific ports and protocols to access APIs.
• Surface level. Enable web application firewalls. Apply measures based on OWASP top threats, adding further rules based on your requirements.
• Global level. Enable checks so only specific IP addresses can access an API gateway. Implement global throttling across your API infrastructure.
• Service level. Allow API to integrate with your enterprise-wide identity provider. Enable encryption and quota checks.
• Method level. Change object content associated with a specific HTTP verb. Use numerous scopes to dissect clients and their access rights. 

It’s best to operate under the assumption that every API request can be hostile. API security teams can enhance threat prevention by leveraging processes and tools that align with a zero-trust security posture.

3. Enable monitoring and threat mitigation

When you expose APIs to clients, API gateways are subject to potential threats. With the right security measures and oversight, IT teams can reduce risks to the system and its users.

By limiting requests to particular servers, you’ll conserve computational resources and ensure high availability. This step makes APIs less vulnerable to attacks where hackers can systematically guess a password to gain access. It also prevents resource exhaustion in a downstream service that can lead to DoS attacks. Additional API security precautions include:

• Restrict API gateway access to a few IP addresses to decrease the attack surface.
• Implement a web application firewall that adds a layer of defense from injections of intruding code that can extract data or crash a server.
• Augment your logging of all system activities to remove sensitive data.
• Leverage AI to pinpoint unusual API execution and monitor API data flow patterns.

4. Implement data security and validation

implement checks on all input parameters and payloads. Hackers often use API parameters to inject destructive code into an organization’s infrastructure. Knowing what to expect from input parameters can establish a validation routine within your API gateway.

Payload scanning is essential. Organizations should integrate with an internet content adaptation protocol (ICAP) solution to scan payloads in real time. This ensures that no malicious code is injected before it’s passed back into the system for processing.

Then there’s data redaction. Sometimes, developers can fail to protect sensitive properties on the server side, leaving it up to clients to filter out these elements in API responses. Removing and masking that data helps protect the exposure of sensitive data to the outside world.

5. Establish consistent practices

Many teams are deploying or modifying APIs daily. Organizations should build pipelines that automate as many steps as possible in the API lifecycle. While shaving time off the clock, you’ll minimize the chances for human-injected errors.

Part of establishing consistent practices should include security-specific tests that run with every API promotion. From tests to QA and QA to production, these tests act as a security check for APIs as they move through the lifecycle.

With API deployments occurring frequently, organizations are more likely to discover that something is not right with APIs. That’s why it’s valuable to implement a rollback process for API deployments. This makes it fast and easy to transition back to a previous version and resolve any issues.

Turn best practices into actions

While these best practices lay the groundwork for comprehensive API security, Axway supports these efforts. Our Amplify API management platform offers an efficient and secure way for organizations to manage their entire API lifecycle. Axway API management experts can work with any IT team to identify helpful technical strategies that will safeguard APIs at throughout internal, partner, and end-user ecosystem.