API security is an executive-level concern which is only increasing in relevance. As more API-driven services emerge in areas like artificial intelligence, banking, healthcare, eCommerce, and elsewhere, the more reliant the global economy is becoming upon these niche developer-facing tools. However, ungoverned API sprawl can lead to many security woes.
Without the proper management of APIs, you put yourself at risk for disparate designs, shadow endpoints, insecure coding practices, and misconfigurations. Hackers could misuse APIs with broken authorization control to steal user information or even enable full account takeover, as was the case with a recent Booking.com OAuth misconfiguration. Hackers are also quick to leverage business logic flaws within APIs, which could easily put cash on the line.
API governance is the practice of enforcing common policies and standards around API design, development, and consumption. And it's an excellent tactic to improve cybersecurity in this new API-driven microservices landscape.
Below, we'll examine how API governance brings a better security framework to respond to issues plaguing today's interconnected technologies. We'll explore why software governance is so critical for large enterprises and consider five ways API governance can unite security knowledge across an organization to encourage safer API-first practices.
1. By Ensuring API Designs Are Consistent
First, governance can help by ensuring APIs are consistent and conform to common standards. This can pertain to the design paradigm, protocols, data formats, naming conventions, and schema in use.
Baking consistency into API design makes your services more consumable and benefits the overall developer experience. This makes it easier to share integrations with not only internal developers but partners as well. Design standards also reduce the occurrence of disparate, unstandardized API development that is more difficult to maintain and secure as it requires more specialized talent.
One way to enforce common API standards is by maintaining a public API design style guide. This is a common strategy employed by Adidas, PayPal, Google, Red Hat, Atlassian, Cisco, and many others. An API design style guide could be enforced using an OpenAPI linter such as Spectral.
2. By Instilling Secure Coding Practices
Governance is especially important for instilling safe coding practices. Not every developer is a DevSecOps engineer with a security-first mindset. Often, programmers are just trying to make sure a function works as intended and aren't considering how it could be misused.
Confirming that APIs follow security best practices is crucial to avoid vulnerabilities in production. For example, authorization concerns continue to plague APIs. Countless public API endpoints accidentally expose user data when fed different IDs, known as Broken Object Level Authorization (BOLA). These and other authorization flaws can lead to data exfiltration, permission escalation, and access to administrative controls.
Thus, having a shared knowledge base for how to properly set up authentication and authorization for new APIs is critical to ensure the rule of least privilege is followed. Security guidelines should also encourage best practices for rate limiting, data validation, token handling, API key obfuscation, and ways to avoid business logic flaws.
Shift-left practices involving automated vulnerability scanning could help reduce misconfigurations and threats. For example, OpenAPI.Security can take an OpenAPI definition URL and identify potential OWASP risks.
3. By Verifying Third-Party API Consumption
API adoption is surging across most enterprises, but unbridled technology acquisition can lead to unsafe conditions. For example, ungoverned third-party API usage can pose a threat if left unchecked. In fact, OWASP's API Security Top 10 now lists Unsafe Consumption of APIs as a common API risk.
Third-party APIs may be compromised and may not employ the proper input validation and sanitization. These services could be vulnerable because they interact over an unencrypted channel or mindlessly follow redirections.
Organizations shouldn't place faith blindly, especially in today's tumultuous software supply chain. Therefore, API governance should not only consider internal coding practices but verify the integrity of third-party services that developers are integrating with. This will help retain a zero-trust approach.
4. By Documenting All Your Services
Another byproduct of today's increasing API reliance is the likelihood of API sprawl to set in. Today's microservices architecture designs, IoT devices, and monetization strategies are producing more and more APIs by the minute — but not all of these endpoints are carefully documented.
As the old cybersecurity adage goes, you can't secure what you don't know. Without a window into all the APIs in your organization, you can't assign proper ownership to their maintenance. A lack of visibility also hinders monitoring efforts, which prevents insight into production exploits and gauging if services meet SLAs.
As of 2023, OWASP lists Improper Inventory Management as a top API concern. Therefore, increased API governance is necessary to encourage proper inventory management for these services. Documenting each API thoroughly and maintaining an API catalog are two methods to improve API inventory management. Doing so can shed light on the tools in use and ensure they don't become forgotten shadow APIs.
5. By Enforcing Guardrails For Lifecycle Management
Another contributor to zombie APIs is age. Nearly all technology has a shelf life. And APIs, too, will go through a lifecycle of development, usage, versioning, sunsetting, and eventual deprecation. Some features will be altered, and others will be retired. But when the lights are supposed to go off, who makes sure these endpoints are fully offline?
In general, it's good to have established policies in place for proper API lifecycle management. For example, guardrails around API versioning can help avoid breaking changes, which can negatively disrupt operations and service reliability. Smart end-of-life planning can be accomplished using developer communication channels and HTTP headers to communicate sunsetting and deprecation.
It's good to have API lifecycle management procedures in place from day one to avoid surprises down the road. But as a catalog balloons into the hundreds (if not thousands) of API services, organizations will likely want to seek out platforms that automate the toil of API lifecycle management.
API Governance Greatly Aids Cybersecurity Efforts
Oversight around software development and maintenance is crucial to establishing safe platforms. And API governance is integral to improving your overall security foundation. From a security perspective, increased API governance can:
- ✓ Help standardize APIs to unify technology designs.
- ✓ Introduce shift-left tactics to expose vulnerabilities early on.
- ✓ Validate third-party services are safe for use.
- ✓ Mandate documentation and API catalogs to avoid forgotten endpoints.
- ✓ Encourage safe and predictable lifecycle habits.
Above, I've suggested some particular methods to enact the above points. But, holistic API management will involve many other strategies to improve the overall cybersecurity posture. In general, treating the API as a product and having a center of excellence for API standards can encourage safer usage patterns, which, if followed, can reduce the chance of exposing sensitive data and putting your business — and end users — at risk.
