The API Evangelist API Security Industry Guide
08 Nov 2017
This edition of my API security industry guide has been underwritten by ElasticBeam, who provides next generation API security, leveraging machine learning, and behavorial analysis that works with the existing web and API management solutions you already have in place across your API operations.
I have been working on this resulting guide from my API security research for over a year now. Thanks to ElasticBeam I’ve finally gotten it out the door. As with all my industry guides, it is a work in progress, and something that will never be finished. I’ll keep taking what I’ve learned, and publishing in as a PDF every couple months, and receive the edits, and feedback from my readers and the wider community, then publish again. I’m feeling like I’m finally finding my groove again with these guides, and there is no better time to be back on game, especially when it comes to API security.
Security is the number one concern of companies, organizations, institutions, and government agencies considering investing more resources into their API infrastructure, as well as companies who are ramping up their existing efforts. At the same time it is also the most deficient area when it comes to investment in API infrastructure by existing API providers. Many groups are rushing along their API journey, and deploying web, mobile, device, and other applications, but rarely stopping to properly secure things with each step along the way.
In 2016 I began investing more into the topic of API security. I have been ramping up my research into how APIs were being secured, and how they weren’t being secured. I’ve been tracking on breaches, vulnerabilities, as well as the companies who are offering products and services that help API providers secure their APIs, as well as some of the open source tooling that is available. As I do with my approach to researching everything APIs, along the way I’m keeping notes on the common building blocks, and other patterns that are contributing to the wider API conversation–in this case it is all about securing our APIs.
From my research into where things are at with API security in 2016, it is clear that one of the reasons things were deficient in the area of API security was that API management had sucked much of the oxygen out of the conversation. Numerous API providers I talked with about API security thought it was all about making sure APIs were keyed up, applying OAuth, using encryption, and rate limiting their APIs. With that, API security was taken care of. Very few were actively scanning, testing, and looking through web server, DNS and other logs for signs of security threats and incidents. While a major contributing factors to API security deficiency is that API providers are short on resources, which means API security is often under-invested in by a company, but beyond this, I think API management has been the biggest reason API security still lags behind in 2017.
Another thing I have noticed in my research, is that many of the APIs being operated were in service of mobile applications, and many API providers were investing in mobile application security, and considered their APIs behind secure as a result. APIs in service of mobile applications were living in the shadows, despite being easily reverse engineered using off the shelf proxy tools. This perception of what API security is has added on a whole other dimension to why investment in this area is so far behind. Many companies feel like they don’t have public APIs when they are developing them in the service of mobile phones, despite using HTTP as the transport, and leverage public DNS.
Even with all of the deficiencies in API security, I’m beginning to see forward motion in the API conversation in 2017. I’m seeing new service providers emerge to help secure web APIs, addressing the specific threats API providers face. I’m seeing machine learning, behavioral analysis, and other new approaches to analyzing log files, and studying the surface area of our API infrastructure. There is still much work ahead, but there are signs of renewed conversations on the subject. The biggest challenge is going to be helping companies, institutions, organizations, and agencies understand that they should be investing significantly more resources into API security. That is the objective of this API security industry guide, to provide a simple walk through of the space, and introduce the services, tools, and common building blocks that are in use by successful providers.
If you find any mistakes in the guide, or would like to make suggestions, feel free to head over to the Github repository for my API security research and submit an issue. I depend on my audience ot help me refine, polish, and keep these guides updated. Hopefully this is just the first of many updates to the API security industry guide, allowing me to keep in sync with the ever-changing security landscape. Thank you for your support!