APIs have their pros and cons. What to do when they are not benefiting your organization:
Vulnerability is a major issue with APIs, given its ability to offer programmatic access to external parties with few organically available controls. Security, therefore, it should be an essential element of any organization’s API strategy.
Let’s clearly understand that API security is difficult. There are many layers of the API “stack” and many of them overlap the layers of an organization’s basic IT stack.
While API security shares a lot of aspects that are common to both web site security and network security, it is also fundamentally different both in terms of usage patterns as well as the unique areas of additional risks that APIs are susceptible to.
For instance APIs move the boundary of interaction from the web tier to the backend applications and data sources directly.
Understanding the necessary components of a well-constructed API security strategy is the first thing you should do when you are utilizing this very helpful strategy:
- Risk Assessment: Crafting and conducting a through API risk assessment discussing the various attack vectors that could potentially make your API vulnerable
- Risk Mitigation: Exploring the risk mitigation strategies that API providers can put in place to prevent API hacks
- API-Security: An API-security first mindset and constant vigilance are imperative. Knowing that, there is no excuse for a lackadaisical attitude towards API security.
- Requirements: Make security visible in requirements and backlog processes, on the same level as performance, functionality and usability
- Knowledge: Invest in security know-how and testing among your developers and testers, so they understand common security breaches and how to guard against them.
- Prevention: Test and assess security early in your project and don’t leave it to some single individual at the end right before production.
- Monitoring & Intrusion Detection: Continuously monitor your applications for security vulnerabilities using available tools or homegrown solutions – as you would performance and functionality, with focus how new components or changes can have unwanted side effects. Intrusion detection is important piece of the security strategy.
- Awareness: Make use of free tools and resources (like those available at OWASP) to get an overview of relevant vulnerabilities and how to make sure they do not affect you
- API Lifecycle Security: The API development processes — between API design to creation to runtime to product management and to API governance — must be approached in a holistic manner with a security mindset.
Many industries are finding that APIs are very helpful, financial Services organizations are the latest group that has recently started benefiting from use of APIs . The whole purpose of APIs to get systems to interact with each other. The financial services industry is slow to adopt, and I would hope to think it is because of the sensitive nature of their data, the benefits are many with the adoption of APIs and the technology upgrades. Including the necessary security with the use of APIs should be included in any technology upgrade strategy.
More about APIs and Security