Close Your API Security Gaps, Prevent Breaches With These Five Best Practices

Application programming interfaces, or APIs, have been around since the early days of computing, but it’s only relatively recently that their popularity has exploded. Now, APIs play a part in 83% of Internet traffic in everyday services like PayPal and Google Maps. And, because APIs facilitate data exchange between different microservices, they also provide access to a trove of sensitive data. Because of that, APIs are an extremely attractive target for security breaches.

In fact, data shows that the number of API breaches is on track to accelerate at a rate of 227% — quite a jump as compared with 2022 (172%) and 2021 (117%). Cybercriminals target APIs through a range of methods:

• Mismanagement of token or API keys, where legitimate credentials are stolen and misused by unauthorized parties.

• DDoS attacks, which use thousands of requests to simultaneously connect, overwhelm API systems and backend systems that provide data to APIs, resulting in crashes and drained resources.
• Easily accessible credentials, where usernames and passwords are made vulnerable to theft through unencrypted configuration files.
• Man-in-the-Middle (MITM) attacks, which occur when a third party intercepts communications between an API endpoint and a client.

Any of these attacks resulting in API security breaches could potentially cost an organization an average of $4.35 million. 

Five steps to better API security

These daunting data points require that organizations take a closer look at API security and determine how to better prepare for the inevitable breach attempts. Establishing the following set of five best practices to securely leverage API integration and related technologies is a good place to start.

1) Assess your organization’s infrastructure and processes. Organizations have multiple on-premises and cloud environments, and with it comes an ever-growing number of interconnected APIs and microservices. Potential vulnerabilities can exist in this complex environment, so an important first step is to pinpoint where they are. Start by looking at customer-facing APIs and internal APIs:

• Internal — Moving systems to the cloud makes data more accessible to internal users across an organization without assistance from IT. But it also means potentially sensitive data is exposed as well. IT teams must offer only necessary access rather than allowing access across services for everyone in every department, which can quickly become an administrative nightmare.
• Customer-facing — While APIs are used to share information with customers, organizations should limit how much is directly accessible (for example, databases or internal systems). The portion that is exposed should still be secured. 

2) Pay attention to data security in the cloud. It’s a long-held belief that data stored in the cloud is more vulnerable to cyber breaches. This isn’t necessarily the case: In fact, transitioning data to the cloud can offer a degree of security that can’t be duplicated in-house. However, there are ways to increase cloud security even more by placing an increased focus on APIs. 

3) Make multi-factor authentication a requirement. Today, usernames and passwords are no longer sufficient for security — even if they’re complex. Two-factor authentication or secure authentication with OAuth are imperative, so make sure your network supports it.

4) Ensure the right users have access to the right data — and no more. Access to data should be granted to users according to job function or position rather than to everyone across the organization. This lowers the chances that sensitive data will be accidentally exposed. If a user does need access to a system they don’t typically use, special permissions can be created to provide access for a limited time.

5) Secure certificate keys in a keystore. A trusted keystore that has certificates for HTTPS-secured communication is important. So, if, for example, a local client must communicate securely through a proxy server, make sure you add a new certificate to a Java keystore. 

See also: Are Industry-Specific APIs the New Norm?

A final word on API security

Now more than ever, with so many cyber threats compromising data integrity, organizations are held to incredibly high security standards. Putting in place these best practices will ensure they can continue to leverage API integrations while also preventing sensitive information from falling into the wrong hands.