Internet Performance Delivered right to your inbox

API Security Emerges as Major Challenge

NEW YORK — As reliance on APIs rapidly grows, so too does the need to secure them.

Security is the top challenge of application programming interface (API) management, and the best way to address it is to take an approach similar to web application security, said Laurent Gil, security product strategy architect at Oracle Cloud Infrastructure.

“Simple things we do to secure web applications can be done on API calls as well,” Gil said in his session, “API Security: What You Absolutely Need to Know Now,” here at the O’Reilly Velocity Conference.

API security Laurent Gil Velocity
Laurent Gil discusses API security in a session at the O’Reilly Velocity Conference in New York.

What are APIs?

An API is software that allows two applications to communicate with each other, even if they’re written in different languages. Mobile apps are driving their usage; there are more than 7 million different mobile apps, and they all use APIs to communicate with back-end systems or other resources, Gil said. According to Gartner, by 2022, APIs “will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”

Even non-malicious uses of APIs can cause problems, however. An airline or rental car company, for example, may have dozens or hundreds of third-party travel agencies using its API to access pricing information. If the airline or rental car company makes a price change and all of those travel agencies simultaneously make API calls to get the new price, it can overwhelm the server and have the same effect as a DDoS attack, Gil said.

API security must protect against these cases as well.

How API security works

Representational State Transfer (REST) is the most common API architecture, and clients make RESTful API requests via HTTP or HTTPS. This is much like how browsers make website or web application requests via HTTP or HTTPS. As such, API security can follow web application security’s lead.

A web application firewall (WAF) intercepts, inspects, and mitigates (if necessary) traffic to websites and applications. Similarly, API security relies on a reverse proxy to receive API calls, inspect and/or authenticate them, and return the calls (if they are legitimate). A reverse proxy implemented specifically for API security is called an API gateway.

WAFs and API gateways are complementary technologies; a WAF can sit in front of and protect an API gateway, creating a comprehensive API security platform, Gil said. He described the features of these platforms and how they can protect APIs:

Access controls enable organizations to whitelist API calls from customers, partners, and other trusted sources. They can also incorporate data from threat intelligence services to determine whether or not API calls from certain sources are malicious.

IP rate limiting lets organizations set thresholds for how frequently specific IP addresses or URLs can make API calls — and block or delay requests that exceed these limits.

WAF policies can enforce the use of encrypted API calls, prevent SQL injection attacks, and provide detailed logs and other monitoring data.

Tokenization ensures that an API call is coming from a trusted application.

“It’s a very nice way to make sure that the API call was made by an entity that is friendly to the application,” Gil said.

Share Now

Colin Steele
Whois: Colin Steele

Colin Steele is a marketing communications specialist at Oracle Dyn, writing about DNS, cloud computing and edge security. He formerly covered data center and end-user computing at TechTarget for 11 years.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn