NEW YORK — As reliance on APIs rapidly grows, so too does the need to secure them.
Security is the top challenge of application programming interface (API) management, and the best way to address it is to take an approach similar to web application security, said Laurent Gil, security product strategy architect at Oracle Cloud Infrastructure.
“Simple things we do to secure web applications can be done on API calls as well,” Gil said in his session, “API Security: What You Absolutely Need to Know Now,” here at the O’Reilly Velocity Conference.
What are APIs?
An API is software that allows two applications to communicate with each other, even if they’re written in different languages. Mobile apps are driving their usage; there are more than 7 million different mobile apps, and they all use APIs to communicate with back-end systems or other resources, Gil said. According to Gartner, by 2022, APIs “will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
Even non-malicious uses of APIs can cause problems, however. An airline or rental car company, for example, may have dozens or hundreds of third-party travel agencies using its API to access pricing information. If the airline or rental car company makes a price change and all of those travel agencies simultaneously make API calls to get the new price, it can overwhelm the server and have the same effect as a DDoS attack, Gil said.
API security must protect against these cases as well.
How API security works
Representational State Transfer (REST) is the most common API architecture, and clients make RESTful API requests via HTTP or HTTPS. This is much like how browsers make website or web application requests via HTTP or HTTPS. As such, API security can follow web application security’s lead.
A web application firewall (WAF) intercepts, inspects, and mitigates (if necessary) traffic to websites and applications. Similarly, API security relies on a reverse proxy to receive API calls, inspect and/or authenticate them, and return the calls (if they are legitimate). A reverse proxy implemented specifically for API security is called an API gateway.
WAFs and API gateways are complementary technologies; a WAF can sit in front of and protect an API gateway, creating a comprehensive API security platform, Gil said. He described the features of these platforms and how they can protect APIs:
Access controls enable organizations to whitelist API calls from customers, partners, and other trusted sources. They can also incorporate data from threat intelligence services to determine whether or not API calls from certain sources are malicious.
IP rate limiting lets organizations set thresholds for how frequently specific IP addresses or URLs can make API calls — and block or delay requests that exceed these limits.
WAF policies can enforce the use of encrypted API calls, prevent SQL injection attacks, and provide detailed logs and other monitoring data.
Tokenization ensures that an API call is coming from a trusted application.
“It’s a very nice way to make sure that the API call was made by an entity that is friendly to the application,” Gil said.