Dialogue Series

Explaining the Basics of API Security and How to Prevent API Attacks

by

If you’ve opened a mobile application today, you’ve likely interacted with an application programming interface (API). Whether you signed up for a new account using an existing email address, logged into an app using fingerprint authentication, or searched a retail website to check on the availability of a certain product, an API was probably involved.

APIs are all around us in this digital and cloud native-centric world, but their significance often flies under the radar. Even API security risks tend to go unnoticed. But I’m hoping to change this.

As the Senior Director of Product Management for Prisma Cloud by Palo Alto Networks, I research and develop industry-leading products for application security. To learn more about APIs and all they entail, read on for insights into API basics, API and web application security risks, and how to secure the APIs that your organization uses.

What Is an API?

First, let’s define the term “API.” Again, API is short for “application programming interface,” and it is less complicated than it sounds. APIs are the means by which modern applications communicate with each other, and they are mostly consumed over the web. As G2 explains, you can think of an API as a messenger that translates your request and returns responses — similar to the role a server plays in a restaurant.

Because of the digital and interconnected nature of technology, there are an endless number of applications that need a way to interact with each other. As such, the number of APIs in use for a single application can total dozens or even hundreds. Additionally, cloud native APIs can change on a daily basis.

Today, we have a standard for APIs called OpenAPI, a specification that defines a language-agnostic interface description for APIs that are readable by both humans and computers without requiring additional documentation, access to source code, or inspection of network traffic. In short, everything in the OpenAPI allows you to create an API client from scratch without having to know everything about the API itself.

Since we know that APIs are heavily used in cloud native development, they can be modified easily — and often. This means developers don’t have to make APIs from scratch every time they need one, but ensuring web application and API protection in this environment is a challenge.

A Closer Look at API Security Risks

An OpenAPI specification describes what the server expects to receive, including the message format, parameters, the client’s expected response, and more. However, protecting APIs can be a challenge because the specification does not include who has access to the API and it does not mandate any kind of authorization or authentication.

Another issue that arises from using APIs is that OpenAPI spec files are not always automatically updated every time a new version is released. This limits your visibility into changes and your control over the API. If you aren’t using the latest version of the API spec document, you could be left with APIs that are exposed. Additionally, any kind of security you attempt to enforce will be ineffective.

Because of these inherent risks and the fact that APIs are so widely used in most (if not all) web applications, API attacks have become a growing threat. It is also difficult to govern and secure APIs, which encourages attackers to target them first before attempting more sophisticated forms of attack.

This begs the question, “How can organizations keep their APIs secure?”

How to Secure APIs That Your Organization Uses

The good news is there are multiple ways organizations can enhance their API and web application security efforts. Best practices for cloud native API security include the following:

  1. Keep the OpenAPI specs up-to-date. Through testing, developers can ensure that spec docs are current and minimize the potential for API attacks.
  2. Apply positive security. This means proactively defending against the low-hanging fruit that will be easy for attackers to target.
  3. Read the OWASP API Top 10 Security List. This list covers the top 10 most common risks for APIs that developers should bear in mind when developing and trying to secure APIs.
  4. Choose a robust API protection solution. With the right application security platform, applying positive security, identifying unprotected APIs, and scaling are all far simpler.

Learn More in My Episode of DevSecTalks

As you can see, APIs are both extremely useful and necessary for modern cloud native applications. However, they also pose security risks that organizations need to be mindful of both now and in the future. Hopefully, this article has helped you gain a better understanding of what it takes to prioritize API security within your organization.

If you’re interested in hearing more about the latest in cloud technology and cloud native security, be sure to subscribe to DevSecTalks. You can also visit the Prisma Cloud blog for more insights on web application and API security.

About Prisma Cloud

Prisma Cloud is the cloud native security solution for Palo Alto Networks, the global cybersecurity leader on a mission to be the cybersecurity partner of choice and is the industry’s most complete cloud native application protection platform (CNAPP) that can secure cloud native applications from code to cloud. Learn more about opportunities at Palo Alto Networks by visiting their careers page.

About the Author

Ory Segal is the Senior Director of Product Management for Prisma Cloud by Palo Alto Networks and is part of the team responsible for the web application and API security module. Prior to joining Palo Alto Networks, he was the co-founder and CTO of PureSec. He has also worked at organizations such as Akamai and IBM, and has spent the past 20 years researching and developing industry-leading products for application security.