13 best practices for API security excellence

It’s estimated that APIs drive approximately 83 percent of all internet traffic, and Gartner predicts that 90 percent of web-enabled applications now have a broader attack surface due to exposed APIs. As a result, the growth in adoption of containers and microservices is increasing the need for API security. 

Even though APIs have become the glue that powers modern digital ecosystems, more attention still needs to be paid to API security. Because where organisations, business partners and customers find innovation and value, hackers and cybercriminals find opportunity. 

Thankfully, there is a set of best practices to pursue outstanding API security. 13 of them, to be precise… 

1. Authentication and authorization 

These are key to exposing your APIs securely. Authentication is verifying who someone is, and authorization verifies which applications, files and data they can access. They enable organisations to move beyond the security flaws and friction associated with username and password-based authentication. This enables them to implement best practices aligned with Zero Trust methodologies. 

2. Managing access control 

Good governance is critical to solid security. Starting with a standardised set of API specifications builds a strong base from which API functionalities can be adjusted and extended in governable ways. It also allows for the uniform implementation of security protocols, which can slot within an overarching strategy that adopts a standard set of principles, patterns and frameworks.

3. Governing microservices

The proliferation of microservices enables businesses to achieve things in more flexible, agile and personalised ways. However, it can be complex to govern distributed architecture. Maintaining total visibility of APIs is crucial to doing so in a way that avoids increased security vulnerabilities. 

4. Automating out vulnerabilities 

Automation can support organisations to effectively govern APIs within complex microservices architectures. This reduces the number of individuals requesting and granting access to APIs. Therefore, this means fewer chances of security breaches, thanks to automated access control processes. 

5. Simplifying complexity 

An API management tool can help organisations to enable automation, agility and security, simplifying the governance process by mediating between code base, application and identity provider. This guards against single points of failure as part of a holistic and robust approach that keeps APIS flexible, manageable and governable. 

6. Encrypting data at rest 

Many organisations grapple with how much of their data is at rest to secure. Encrypting all of it creates a lot of overhead, so a popular approach is using tokenisation to encrypt highly identifiable and sensitive data.  

Classifying data is essential here, and you can use the classification process to define where to store data at rest. This becomes particularly important when cutting-edge API functionalities use that data in new ways, meaning there is scope for security errors to creep in.

With data at rest encrypted, you can operate secure APIs on top to pull, modify or insert data as required.

7. Securing data in transit

Securing data in transit poses more challenges than securing it at rest. Yet it is necessary to increase APIs exposure to the outside world. Applying channel-level encryption with HyperText Transfer Protocol Secure (HTTPS), transport level security (TLS), and SSL Secure Sockets Layer is routinely used to secure data in transit. 

8. Legacy code and integration

While SOAP still has its place, the large-scale adoption of REST has delivered greater flexibility. However, the tendency for REST to over-fetch data means that larger enterprises with many complex API calls and servers are now turning to GraphQL, with its ability to make specific requests to the server. 

The result is that organisations need to move seamlessly between API styles, such as SOAP, REST and GraphQL and architectural styles, like monoliths and microservices architectures. Plug-in solutions that transform requests and responses into different programming languages enable this, along with API management tools that interoperate between different generations of code. This means organisations can transform and scale without needing to rework their governance and security frameworks. 

9. Separation of concerns

The ability to abstract security and governance to a separate, dedicated layer is a crucial reason many organisations adopt an API management tool. Instead of having to roll security and governance into the main code base, the separation of concerns enables developers to prioritise focusing on the functionality of their APIs. 

10. Secure by design

An API management layer eliminates a single point of failure, and its two dedicated layers of operation make it inherently more secure. While one layer looks into the application’s business logic, another manages governability. This means APIs can evolve and develop from a starting point where they are secure from the outset.

11. Hybrid architecture and environments 

Time to market, personalisation and agility has never been more important. Or more achievable. Organisations are applying API management tools to interoperate complex architectures. This allows them to comfortably and securely manage hybrid environments encompassing a variety of languages and styles. 

12. A single view of all APIs

Effective API management systems can deliver a bird’s eye view of an organisation’s APIs. Mediating complicated software ecosystems and translating complexity into simplicity allows organisations to crystallise their digital strategy and oversee governance and security like never before. 

13. Standardised security management 

Applying a layer of API management on top of all the different programming languages and frameworks that businesses use facilitates a standardised approach to API security. As teams seek to aggregate data from other areas and complex APIs, standardised security can overlay the complexity. 

Want to know more? Download our latest security research report, where you’ll find the steps to take to reach good levels of API security. We also look at the emerging real-world antipatterns and solutions and consider API management’s important role in securing and governing agile and complex APIs.