APIs are great, they are everywhere and they grow. When thinking about API security very often very basic security mechanisms are missing. This article is about the very minimum frist steps you should always take:
First steps to think about
- Only expose the parts of the interface which are necessary, not the entire API
- Only collect and publish the data which is really necessary
- Only grant access to people/systems which need it
- Switch sides and think like an attacker ("Write a black mirror episode about your API", Keith Casey 2019)
Use API gateways, because they take care of:
- Lifecycle: In which state is your API? How was it designed and built? To which gateways is it published and is it live & available?
- Interface: What does it expose? Which resources, methods, objects and fields?
- Access: Who can use it? Which users or groups, which authentication, which clients, which contexts?
- Usage: How to succeed with it? API documentation, debugging and errors, tracking usage, examples & sdks?
- Business: How does it drive business goals? Partner CRM, marketing, business analytics
API gateways like apigee, kong, apache apisix, krakenD, the list is long. Great overview about open source api gateways: https://www.predic8.de/open-source-api-management-kong-tyk-fusio-umbrella-wso2.htm
There is so much more
- Regularly updating your systems of which the api is built on
- Harden your systems, applications, middleware, runtime-environment and interfaces of which the api is built on
- Do regularly penetration testing and vulnerability scanning
- Enhance and regularly review logging & monitoring including automized alerts based on thresholds