API Security: A Comprehensive Guide

Protecting application programming interfaces (APIs) and the data related to them is becoming a priority for organizations. This article provides an overview of API security, focusing on automation of their testing.

What is API security?

Unlike graphical user interface, APIs are designed to automate the exchange of data with external systems and between internal application components. Three main parts of API security are critical:

• API discovery: By identifying their internal and external APIs, organizations can create a more complete picture of their attack surface. Popular methods for API discovery include crawling to find specification files and API endpoints, integration with API management tools, and monitoring of API traffic.
• API security testing: Once discovered, they can be tested for vulnerabilities manually or with automated scanning. While manual API testing used to be the norm, the vast number of API endpoints and parameters has led to the widespread popularity of advanced Dynamic Application Security Testing (DAST) tools to automate this process.
• API protection: Most companies use API gateways to route their traffic through a single system with multiple security measures. This can include load balancing, rate limiting, and a web application firewall (WAF) that provides real-time filtering of API traffic.

API security also encompasses other categories of tools. For example, API classification (or categorization) involves labeling APIs to make it easier to fix new vulnerabilities. Another important part of API security is access control, which involves defining access rights for specific users and applications to the application programming interfaces.

Why is API security important?

Rather than attacking through the user interface, threat actors often prefer to use APIs, which makes them an important target.

With millions of IoT (Internet of Things) devices using web APIs to receive commands, return data, and perform operations, attacks on APIs can also allow malicious hackers to compromise physical security measures and use unsecured internet-facing devices as entry points to access internal systems.

There are at least five reasons why API security is important to organizations:

• Protecting sensitive data: APIs often serve and process personal, financial, and business information, so cyberattacks on them can lead to data breaches.
• Securing application attack surface: Without proper protection, APIs can become entry points for threat actors.
• Reducing the likelihood of advanced and intense attacks: Because APIs are designed for automated access, they are often targeted by malicious hackers. Strong API security measures can prevent or reduce the impact of these disruptive attacks.
• Regulatory compliance: They require a high level of security for all systems that deal with sensitive data, including APIs.
• Supporting business continuity: Depending on the application architecture, APIs can directly support or perform critical business operations across multiple systems.

What is the difference between API security and application security?

API security is part of application security and is critical for protecting modern applications that rely on web services and APIs to communicate with systems and users. Applications developed using a microservices architecture are built entirely on top of services that rely on API calls not only for external communication, but also for internal data exchange.

An important difference is that API traffic is almost entirely automated. They handle request volumes that are rarely achieved through manual user interaction with a GUI. This creates different requirements than traditional application security and makes automation a necessary aspect of an effective API security program. This is especially true for internal APIs, where many systems, services, and applications may rely on the same API.

Securing different API types

Most organizations typically use one of several common API types: REST, SOAP, or GraphQL. While network-level security measures depend more on the application architecture than the API type, there are nuances to the security of different types of APIs at the application level.

REST API

REST is the most popular API type, used by over 85% of organizations that have APIs. REST (REpresentational State Transfer) is not a strict protocol or format, but an architectural style. In the case of REST APIs, HTTP methods are used as operation types, and JSON is the most common data format.

Because each operation requires its own API endpoint and URL, REST APIs significantly increase attack surface. Especially considering that REST requests can be very predictable. When a new API specification is published, the old and new versions usually temporarily coexist. Forgotten APIs that remain in production are a common attack vector. Sometimes all that needs to be done is changing the URL from v2 to v1 to access the less secure version.

SOAP API

SOAP (Simple Object Access Protocol) is an older and less common web API format. It is still used today, for example, in business applications. Unlike the loose style of REST, XML-based SOAP API requests must strictly conform to a specific schema, which makes them less convenient for simple operations, including frequent changes during rapid development.

Being specifically designed as an enterprise API format, SOAP is generally considered more secure than REST. Especially because it includes built-in features, such as encryption. SOAP requests must also conform to the XML schema defined for the API, which makes it difficult for attackers to spoof or imitate.

GraphQL API

GraphQL is better described as a specialized query and data management language for accessing database APIs. Although it is relatively new compared to REST and SOAP, GraphQL is rapidly gaining popularity. It is used by up to 30% of API developers.

GraphQL typically uses only a single API endpoint to receive requests and return data, which can simplify traffic routing and security testing. It also has some built-in validation and type checking. At the same time, GraphQL security has its own challenges, such as second-order vulnerabilities.

Main types of API vulnerabilities

• API vulnerabilities: The interface should allow only valid and authorized requests. If criminals manage to compromise API protections, they can bypass or break the authorization, gain access to the API, and make malicious requests. Common API vulnerabilities include weak or unsecured API keys, broken authentication, issues with using HTTPS for all API traffic, and incorrect rate limiting, which increases the risk of DDoS (distributed denial of service) attacks.

• Related application vulnerabilities: After bypassing or overcoming API-level protections, malicious hackers can attempt to exploit application vulnerabilities via API calls, including common injection attacks such as SQL injection, command injection, and cross-site scripting (XSS). In the context of APIs, server-side request forgery (SSRF) can be particularly dangerous, providing access to internal systems.

OWASP Top 10 security risks for APIs

The OWASP project maintains several lists of vulnerabilities related to web application security, one of which is dedicated to APIs. There is a rating from 2023 that can be used as a resource for implementing security measures.

• API1:2023 Broken Object-Level Authorization
• API2:2023 Broken Authentication
• API3:2023 Broken Object Property-Level Authorization
• API4:2023 Unrestricted Resource Consumption
• API5:2023 Broken Function-Level Authorization
• API6:2023 Unrestricted Access to Sensitive Business Flows
• API7:2023 Server-Side Request Forgery
• API8:2023 Security Misconfiguration
• API9:2023 Improper Inventory Management
• API10:2023 Unsafe Consumption of APIs

These API security risks can be grouped into five broad categories:

1. Access authorization and user authentication
2. Access control and limiting
3. API inventory management
4. Security misconfigurations
5. Unfixed web application vulnerabilities

API security testing with DAST

Automated dynamic application security testing tools are a good choice for checking security of attack surface of both APIs and GUI. But very few web vulnerability scanners are advanced and accurate enough to safely perform variety of tests and provide reliable results.

As the first DAST vendor to integrate API scanning into its products, Invicti continues to be an industry leader in the accuracy, coverage, and automation of web application and API scanning. The Invicti (formerly Netsparker) platform has various API security features and capabilities, including:

• Support for REST, SOAP, GraphQL, and gRPC definitions
• Discovery of both documented and unknown APIs
• Fully automated authenticated scanning
• Centralized visibility into APIs and vulnerabilities
• Automatic URL rewriting to improve security testing
• Hundreds of security checks for accurate vulnerability detection

Best practices for API security

Defining and implementing effective API security policies should be an integral part of a broader AppSec program. Here are key points to ensure that API security requirements are not overlooked or underestimated:

• Defining an API security strategy. This should include policies and tools for API discovery, security testing, inventory, management, and protection.
• For large APIs in production, proven security solutions for runtime protection should be used. It includes access control as well as automated filtering and traffic throttling.
• It is important to implement and centralize API management. This helps developers and security teams keep track of APIs and their specifications.
• Engineers have to be involved in defining secure coding, design, and development standards for APIs. This should include architecture, design patterns, and security controls.
• Without testing it should not be assumed API user authentication will be handled by another system. Adhering to these zero-trust principles is especially important in the case of multi-layered APIs.
• APIs should be incorporated into web asset discovery and testing processes. This helps to improve API security as part of AppSec, and also integrates it into the software development lifecycle (SDLC).
• Secure coding practices should include input validation and sanitization. This is especially important for APIs, where protecting object identifiers is critical to prevent vulnerabilities associated with them.
• It is beneficial to implement API security testing into DevOps pipelines, using integrations with development tools and issue tracking systems.

Creating continuous processes for web application and API security

In case of application security testing, various methodologies can be applied at different stages of development, and many issues can be detected at the source code level using static security testing (SAST). Instead, most API testing is performed using the dynamic testing method (DAST). This is because security teams often may not have direct access to the underlying application or system and its source code. And even if they do, it is still necessary to check for runtime vulnerabilities caused by misconfigurations or complex interactions between systems in production.

DAST such as Invicti is a good choice for systematically finding and fixing security flaws before they can be exploited by threat actors. For this to work in practice, it is important to have a solution that performs asset discovery and security checks, can test all common web application technologies and APIs, and integrates into the software development lifecycle (SDLC). Depending on DevOps workflows, it also has to be able to run scans automatically at predefined points in the development pipeline, as well as on a schedule in production.