Here at FireTail, we believe that API security is crucial moving forward. We are focused on what we believe will be the next attack vector – the API.
Here at FireTail, we believe that API security is crucial moving forward. We are focused on what we believe will be the next attack vector – the API. APIs (application programming interfaces) are the way that two pieces of software can talk to each other. On the modern Internet, API interactions happen trillions of times per day, maybe even trillions per hour.
API – the application programming interface concept
One of the easiest ways to think about an API is any mobile application. Pull out your smartphone and look at any app that helps you accomplish a task, like booking a table, checking in for a flight, ordering food, getting a ride, etc. As you can imagine, that whole process does not take place on your phone. You’ll create some portion of the transaction on your phone, maybe choosing what dishes go into your dinner order, but then that order has to be sent to the restaurant, with a driver coordinated to do the delivery, and credit card payment processed. This might involve as many as 10 interactions with different APIs to complete one single order. Again, this happens trillions of times per day.
API security is exactly what it sounds like – the security of the API components that enable and transact the connection between two pieces of software. Can we be sure that the connection is private, and only being used in the way that it was intended? There are many aspects of API security, which we will cover in a forthcoming whitepaper specifically on API security considerations and best practices.
This is the FireTail.io blog, so naturally you can expect this blog to share information about our company, our progress and our product. But you’ll also find our analysis of API security data breaches, and trends that we see in the market. We’ll also cover events and media appearances
Best practices in API security will be a key focal area of this blog. While many API security best practices are similar to cloud security best practices or application security best practices, there are some technical nuances that are unique to APIs. Whenever a set of security recommendations or security challenges is discussed, FireTail will do our best to highlight the differences. Some high-level best practices for security in APIs include:
An API gateway is a network interface, like a reverse proxy, sitting logically or topologically in front of an API, to accept API calls, route the calls to the appropriate API service or endoint, and return results to the API consumer. API Gateways can provide valuable services like presenting network visibility of APIs, allowing for decoupling of the API from the network interface point (IP address or DNS entry) so that APIs can be rotated, updated or A/B tested behind a gateway, and to enable horizontal scaling.
Some API Gateway technologies, such as those from leading public cloud providers, may also provide features that are useful in API security, such as rate limiting and pagination. However, API Gateways most likely do not inspect request/response payloads and cannot look into authentication, authorization or data management logic.
A comprehensive API security strategy will always include end-to-end planning and controls, from design to production. One critical step of this process will be both the logical and security testing of the API. While logical testing of the API will check that the API is functioning as intended, API security testing will typically focus on a few key questions:
OWASP - the Open Worldwide Application Security Project - provides a "top 10" list for API security risks. However, as of the time of the publication of this article, the OWASP API Top 10 is 3 years old, which is somewhat dated by the norms of the modern cloud. As this list is updated with newly discovered API attack vectors, exploits or commonly breached design flaws, the FireTail blog and newsletter will provide updates.
Join FireTail at Infosecurity Europe in London to learn more about API security and FireTail’s approach to helping organizations eliminate API vulnerabilities with a hybrid approach to API security
FireTail founder Jeremy Snyder discussed API security to a standing-room-only crowd at UK Cyberweek in London in April 2023.