Building a defense-in-depth API security posture

API Security

Attacks targeting APIs have increased by 400% in the last six months. With API threats on the rise, organizations need increasingly powerful ways of securing themselves against these “not if, but when” attacks. A defense-in-depth approach is the perfect place to start.

APIs face unprecedented threats

According to research by API security firm Salt Security, API security has become a C-level discussion at 48% of organizations. Here’s why.

Per the same research:
  • 94% experienced a security issue with their APIs over the past year 
  • “Zombie APIs” are the leading API concern
  • 62% describe their AIP security strategy as “Basic” or below
  • 78% of API attacks come from seemingly legitimate users who have maliciously authenticated
  • Vulnerabilities are the #1 security issue in production APIs (41%), followed by Authentication (40%)
It’s no wonder Gartner predicted API security would be a serious cybersecurity threat in 2022. Noted the research firm, “Gartner predicts that by 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications."

Now that that prediction has taken steps towards reality, organizations need to up their API security game with a defense-in-depth approach.

The 5-layer approach to API security

A defense-in-depth approach utilizes multiple layers of security so that one can defend the other or come into play should one fail. This ensures that if an exploit targets an API in some way, the chances are higher that it will be blocked before reaching its goal.

Here is a five-step approach that implements API security at every layer:

  1. Identify all APIs | Getting a headcount of all APIs within your environment is the first step to securing them. You can’t protect what you can’t see. Knowing where all your APIs reside then lets you understand the needed scope of your policies and where you need to focus security. Often, APIs are used as testers and forgotten within the ecosystem once their use is done. Or they are replaced by a newer version and fall victim to the same neglect. Either way, Zombie APIs – “an API endpoint that has become abandoned, outdated, or forgotten” - are a massive security liability. The product of API sprawl, they need to be discovered and then rooted out or protected.
  2. Identify which APIs expose sensitive data | The Salt report noted that API security feature most valued (44%) was the ability to identify which APIs were leaking critical information. This step can come after an organization has located all its APIs. Some APIs may no longer be in use. Others are but need to be de-provisioned. These are typically the ones that have remained in the shadows and missed needed security updates – and hence are leaking sensitive information. Plugging these holes is like patching leaks in a boat. It has to be done before further improvements can be made, or it can cause the whole boat to sink (nice security improvements and all). 
  3. API authentication | Once all APIs have been discovered and the dangerous ones addressed, it’s time to set things right with best practices to keep the rest safe. This starts with API authentication. Audit permissions and make sure users only have access to the APIs they need. Operate on the principle of least privilege and revoke excessive privileges resulting from access sprawl. This will go miles for reducing the attack surface. If a criminal hacker exploits a user, the chances of that compromise leading to API damage are significantly less if that user doesn’t have unnecessary access to additional APIs.
  4. Context-based API security | The second most valued API security feature was the ability to block attacks (44%), per the same Salt research. There are a multitude of tools on the market to address API detection and response, or you can build these capabilities out in-house. Just like initial endpoint and network security, traditional API security methods were stymied by a reliance on predefined signatures and rules. They discard, rather than keep, request data after use instead of learning from it, and they operate in-line, inhibiting scalability. XDR qualities applied to API security leverage Artificial Intelligence to go beyond the signatures, sidestepping traditional limitations and providing a way to block more API attacks at scale. 
  5. Shift-left API security practices | Moving API security measures up in the chain is another way to implement layers of API security where they count the most. Making secure coding and configuration procedures part of the development cycle bakes in the practices that can save a lot of time later, such as having to discover APIs and ferret out the Zombies. Teams can do this by keeping track of APIs - their status and location – when they are first rolled out and auditing the same notes when they are updated. Additionally, development teams can implement API security best practices like setting rate limits and limiting data exposure by configuring APIs to only return the data necessary to their intended function - no more.


APIs are the building blocks of today's digital economy and will continue to face unprecedented attacks. Because attackers will resort to any means necessary, organizations need to employ every means at their disposal to create a defense-in-depth approach scalable to the API growth – and threats – of the next few years.

About Author:

Katrina Thompson

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Post a Comment

Previous Post Next Post