APIs allow fast and easy access to corporate assets. If you are focused on security this may be a scary thought! But the value obtained using business APIs – easing consumption of corporate assets enabling speed to market, allowing the business to reach more potential customers, and helping drive faster innovation – is significant. It is the foundation of the “API Economy” and a core component in enabling digital transformation and building digital ecosystems. Because the value provided by APIs is so high, APIs are a target for exploitation by those wishing to inappropriately access your business assets or cause damage to your enterprise. There are many articles that highlight APIs as a new attack point using various techniques, such as “APIs are becoming a major target for credential stuffing attacks”. Therefore, API security is of paramount importance in gaining the promised benefits without exposure to negative consequences.
Focus on security is an ongoing effort as hackers continue to try new techniques to break into systems. It is not possible to declare security tasks completed nor should you assume your APIs are ever 100% secure. But there are principles, technologies, and techniques that can minimize the risk and provide the highest probability of success in stopping both intentional and inadvertent misuse of business assets.
But how is this accomplished? To address this topic, we have published a white paper titled, “Principles for API Security”. The goal of this paper is to focus on a set of security principles to drive the highest possible level of API protection. Covered topics include:
- Strategic API Economy Security Principles
- Basic API Security Principles
- API Exposure, Scope, and Positioning Principles
- API Gateway Security Principles
- Recommendations
Security discussions are often very technical, delving into how to deliver a desired security capability. Rather than focus on how, this paper focuses on why – highlighting the objectives that need to be achieved to have a more secure posture, and why not meeting the principle is a potential security issue. Technology is ever evolving with new technologies emerging all the time. Security principles are longer lasting. While the technical implementation of a principle may change, the principle should remain valid.
Please click here to download the white paper.
If you have questions, please let me know. Connect with me via twitter @Arglick to continue the discussion.