The API Security Maturity Model: How to Evaluate Your API Security Measures


Enterprises are extensively using software applications to automate and migrate their onsite mechanisms to digital infrastructures. APIs play a significant role in driving the core functionality of these software applications and are important stakeholders in the modern software application development lifecycle. 

According to Forbes, the Marriott hotel chain was hit with an £18.4 million lawsuit after the API breach leaked data from over 400,000 customers, highlighting the importance of a secure API. Even if there was a breach and no data was lost, competitors may use the incident to assert the security of their APIs, resulting in a significant loss of market share.

This article will discuss the standard ways of evaluating your API security measures and provide you a brief overview of how you can set up security for your APIs and contribute to a safe and secure digital ecosystem. 

Legacy Cyber Security Isn’t Enough to Secure Your API Layer

Traditional approaches to tackling cybersecurity may work against threats like distributed denial-of-service (DDoS) attacks or unauthorized malware; however, these approaches fail to secure the API layer properly. 

With the advancement in technology and innovation in software applications, manual penetration testing has also become obsolete. Many companies also rely on pen testing to simulate attacks and test for vulnerabilities. Yet this manual pen testing only occurs when an application has already reached the production stage. 

Cyberattacks have become very powerful and multi-surfaced in today’s world. Even the National Security Agency (NSA) recently disclosed that they had switched their tactics from employing a defensive approach to a more aggressive “attacker is in the system” approach. 

Manual penetration testing occurs annually or quarterly in the best cases, which isn’t sufficient for the modern development life cycle. These tests occur too infrequently and fail to assess the vulnerability of APIs, which hackers are increasingly seeking to exploit. 

One of the essential elements of legacy cybersecurity approaches is to put firewalls for protection. While firewalls may be capable of preventing many common vulnerabilities such as injection attacks and cross-site scripting, they fail to tackle the logic flaws that hackers exploit for unauthorized access. To properly secure APIs, companies need automated testing throughout all stages of the software development lifecycle. 

Charting Your API Security Maturity Level

Considering the widespread use of APIs and the fact that cyber-attackers have found new ways to breach your systems, protecting your organization and your users’ confidential data is vital. With that in mind, it is crucial to evaluate the maturity level of your APIs.

Let’s review some basic API security tips before going deeper into the proper phases of API target security. 

Basic API Security

The prevalence of such security flaws in APIs makes ensuring basic security a must for companies. Here are some basic measures you can take to strengthen your APIs:

  • Use Application Security Tools (ASTs): ASTs increase speed, efficiency and cover the entire code while testing applications. ASTs are repeatable and scalable. This reproducibility helps find known vulnerabilities, issues, and weaknesses at an earlier development stage, enabling users to triage and classify their findings.
  • Enable token-based API authentication: An API key provides basic authentication based on the premise that anyone with a key can directly access API resources and their associated APIs. Token-based authentication, for instance, adds more security to an API than simple authentication. Tokens are like identification cards, which give you access to retrieve data from the APIs. 
  • Enable token-based authorization: Once authenticated, this security step aims to validate whether or not the API consumer has access to the requested particular resource. This way, we can make sure that the right kind of user accesses the right sort of permissible resources. 

Phases of API-targeted Security

Identifying your level of security is key to judging the vulnerabilities in your code. This process includes code analysis to check how your code behaves at runtime. When left unattended, weak code and bugs are potential candidates for introducing security flaws. Manual code reviews and traditional test plans address some of these weaknesses, but they are time-consuming and become troublesome as new issues enter the system, which is why understanding where you’re standing in terms of security is a must to prevent cyberattacks and data breaches.

Phase 1: Crawling

Your organization most likely uses firewalls and API gateways to scan and identify API-targeted attacks and API vulnerabilities at this phase. However, at this stage, these threats are often identified long after code has been deployed to the production stage, and the web application is live in many cases, sharply reducing the effectiveness of your security measures.

Phase 2: Walking

Organizations that have reached the walking stage have tools in place to notify development teams of API vulnerabilities. At this phase, scans are still a reliable detection tool, and development teams usually scan their systems with confidence. At this phase, developers generate and integrate support tickets into existing developer ticketing systems such as Jira or ServiceNow. These tickets provide detailed and relevant information regarding the type of attack and give developers ideas on fixing these attacks. However, at this stage, reports and tickets are usually manually generated.

Phase 3: Running

To reach the running stage, organizations need to ensure that they use automation to streamline their API security. Automated API security can protect organizations from cyberattacks targeting API logic flaws and can be built into the API lifecycle. With automated testing tools, developers will get information about their code each time they commit changes without waiting until things enter into production.

Going Beyond Traditional API Security

Security measures like firewalls, manual penetration testing, and static and dynamic code analysis stop common vulnerabilities like cross-site scripting attacks and SQL injections. They do not, however, offer the same protection from logic flaw attacks, which pose a threat to APIs, resulting in a surge in API security demand.

Automation has tons of possibilities when it comes to helping organizations secure APIs.  Automated responses against cyberattacks and DevOps workflows enable faster detection and better protection while reducing the strain on overburdened IT teams. With automation, attacks and incidents can be handled quickly and with reduced human input.

For those who want more information about API security and automation, APIsec wrote an article about the top 10 API security concerns. You can read it here: What is OWASP API Security Top 10: A Deep Dive.

Topics: DevSecOps

Tags: APIs, Security