• Dr Omaru Maruatona

Four considerations to secure your APIs

Recent events in Australia have yet again highlighted the importance of cybersecurity; most recently specifically relating to APIs. As the real-world impacts of ineffective API security have affected businesses and the public, government has also stepped-up attempts to mitigate and manage increasing risks and effects of lapses in API security. It is becoming clearer that secure APIs are critical to organisations that use them, and the customers and public that are served through them.


Aiculus has deep industry knowledge and expertise in the field of API security, dating back to 2017. Aiculus has spent the last 5 years providing API real-time security monitoring, as well as developing API security architectures and standards for fintechs, banks, telcos and government departments. As API security becomes topical again, we recommend that organisations consider the following:


1. Development of APIs follows a secure development lifecycle

2. Security standards for internal, external as well as third party APIs

3. API security monitoring with real-time reporting

4. Security protocols and guidelines are followed consistently


Aiculus was founded with a mission to bolster real-time API security. Back then it wasn’t readily accepted that if a company exposes its services to external customers through an API, the same API could be used to compromise the services and associated data.. Since then, the use and importance of APIs has grown significantly, and is expected to continue to grow into the future. Similarly, multiple API security breaches have been reported and the approach of holistic API security has become more appreciated and adopted by organisations.

1. Secure API development lifecycle


Today, most companies with digital service offerings have multiple APIs and API accessible services. With the proliferation of agile methodologies for software development and continuous integration/ continuous deployment (CI-CD), these organisations are constantly pushing changes on API services at rapid rates. A recent report showed that a large US retail company publishes 150,000 changes a month[1] to a key component of their digital services platform. The sheer number of these changes are a direct indication of how busy APIs are, and also how important APIs are to organisations offering their services digitally.


Whether it is innovation, differentiation or catching-up to the competition, organisations with digital service platforms must constantly evolve to stay relevant. These constant changes require a robust security approach at design, implementation, and operation of APIs. If any of these phases has a gap, it can lead to dire and expensive consequences in the event of data breaches. While fines can be paid, and some of the damages rectified, the loss of reputation and customer trust are amongst the hardest to win back. Where organisations fail to have robust security that actually works, and is fit for purpose, legislation may be introduced, sometimes leading to more onerous requirements as government also works to get a handle on the situation.


2. API Security standards/ Design principles


The problem with API security is not the lack of technology because APIs themselves are built on typically modern technology; reviews of past API breaches demonstrate this. The standards and principles on which these APIs were designed can be just as costly as the lack of sufficient security tools. For example, the right API security design principle can limit the extent that one API depends on other APIs; avoiding domino effects in the event of a breach. APIs that are built on well-considered security foundations; that incorporate the organisation’s business context will not bring the whole house down when compromised, but rather limit the damage caused.


3. API security monitoring


Aiculus’ view on API security is that the most critical API is one that is operational, one that connects systems or carries out a user request and has sensitive data in it. APIs’ raw power to transform requests into services that execute transactions using sensitive data is why they must be the one of the focus areas of security. With over 80% of recent API breaches taking place post-authentication according to the 2021 State of API security[2], screening API requests and API transactions for outliers, application logic abuses and other subtle anomalies is no longer optional for operation critical APIs.


While many organisations have invested significantly in security standards, processes, and authentication mechanisms for APIs, others however have not kept pace with the change, and have not yet defined their standards and governances processes. Still, very few have adaptive real time security monitoring and analytics of API traffic and API requests, some relying solely on WAFs for mission critical APIs.


4. API Security protocols followed consistently


It is well known in cybersecurity that writing policies is the easy part; continuously complying with and enforcing the policies is the hard part. For APIs, it is great to start by defining standards and secure deployment processes. The challenge is keeping up with these processes when multiple APIs are constantly being changed and many more published regularly. No matter how urgent an API is, it must be pushed to production through these seemingly tedious protocols to minimise the risk of a simple act of oversight becoming the source of a great inconvenience.


Aiculus can help


Organisations today simply can not afford to not invest in having the right level of security relating to APIs. We’re always ready to share our knowledge and insights on these topics. Supported by a large engineering team through our DigiEx[3] partnership, we have capacity to scale deployment, support and maintenance of our solution.


To ensure confidence in your organisation’s security governance and processes or to review your current API environment, the expert team at Aiculus is ready to support your organisation build and operate APIs securely. Reach out to our team of experts by emailing contact@aiculus.co via our website[4].

[1] https://siliconangle.com/2022/10/05/walmart-blazes-trails-enterprise-supercloud/ [2] https://salt.security/blog/companies-are-struggling-against-a-681-increase-in-api-attacks-the-latest-state-of-api-security-report-shows [3] https://www.aiculus.co/post/aiculus-partners-with-digiex-to-optimise-product-scale [4] https://www.aiculus.co/