Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

What is API security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

5 min read

What is an API?

An application programming interface, or API, is a type of software that allows communication between different software and services.

There are four primary API architectures:

  • REST is a stateless, uniform architecture where the client and server operate independently and interact via HTTP.

  • SOAP is more intricate and consumes more bandwidth than REST, exclusively working with the XML data format.

  • RPC, or Remote Procedure Call protocol, allows procedures to execute on a remote server within a distributed system.

  • GraphQL is a schema-driven, strongly-typed infrastructure with its unique query language, enabling clients to obtain specific data in a single request.

What is API security?

APIs are subject to a wide array of threats. Some come from outside, such as unauthorized intrusions by hackers, but others come from within and can disrupt systems or leave the API open for attack. API security refers to the strategies, tool sets, and procedures designed to keep APIs safe.   

API security focuses on three significant security sectors:

  • application security

  • information security

  • network security

API security can also help address issues such as access control, identity-based security, content validation, rate limiting, request throttling, monitoring and analytics, and data protection. Given that APIs serve as entry points for applications or networks, API security is paramount to shield organizations from potential threats.

Why is API security important?

APIs are now foundational in modern software development. Most organizations utilize APIs to exchange data and interface with internal or external software components.

However, APIs are susceptible to cyberattacks, and they’re often targeted by hackers aiming to exploit vulnerabilities for malicious purposes. Broken or exposed APIs rank high among causes for significant data breaches.

Ensuring an API's security means preserving its data confidentiality and ensuring that only authorized users can access it. That includes safeguarding data integrity during and after transmission. This heightened awareness has amplified the focus on API security.

API Security Risks: The OWASP Top 10

The OWASP Top 10 is a list of security risks curated to help developers design applications with security in mind. Let’s take a look at how these points relate to APIs:

  1. Broken object-level authorization: APIs can connect controlling object identifiers, and without proper security in place the API might reveal those identifiers, leaving them open to attack. For instance, in 2018, the United States Postal Service (USPS) experienced a vulnerability due to weak access and authorization controls, compromising over 60 million users' critical data.

  2. Broken authentication: Without robust authentication mechanisms, it can be possible for attackers to gain access to APIs and use them for malicious ends. In June 2021, an exposed API lacking proper authentication was exploited, compromising the personal data of approximately 1.3 million individuals. Simple token or key authentication could have thwarted this attack.

  3. Broken object-property-level authorization: Developers occasionally return superfluous data, assuming APIs will be accessed solely by authenticated users. However, attackers can exploit this excess data. HealthEngine suffered from this vulnerability in their feedback API, leaking over 59,000 patients' personal information.

  4. Unrestricted resource consumption: Every time an API request is made, a certain amount of resources are used up, including network bandwidth, memory, and compute. This presents an internal vulnerability, as unlimited requests can overload an API, increasing operational costs or even causing service denial for legitimate users.

  5. Broken function-level authorization: Many systems have access control policies that are complex. If function-level authorizations aren't implemented, attackers can access unauthorized functions. A recent case in September 2022 saw an attacker infiltrate Uber's IT infrastructure due to this vulnerability.

  6. Unrestricted access to sensitive business flows: Excessive access to critical business flows can disrupt operations. In 2011, CITI suffered a data breach affecting 350K North American cardholders due to an attack that manipulated its business flows.

  7. Server-side request forgery (SSRF): SSRF vulnerabilities occur when an API fetches data from an unvalidated user-defined URL, potentially allowing attackers to bypass security measures. Modern tech stacks, such Docker and Kubernetes, are especially vulnerable.

  8. Security misconfiguration: Insecure API configurations can lead to various attacks that expose data and gain unauthorized access. These vulnerabilities arise from myriad factors, such as missing patches, outdated systems, or exposed error details.

  9. Improper inventory management: With APIs often exposing more endpoints than traditional web applications, maintaining accurate documentation is essential. Poor inventory management can result from insecure storage, weak encryption, or inadequate access controls.

  10. Unsafe consumption of APIs: API consumption often hinges on the trust developers place in third-party responses. Many developers believe that third-party APIs, especially those offered by well-known companies, are inherently secure. This misplaced trust can lead to vulnerabilities. Instead of directly targeting your APIs, attackers might exploit these third-party integrations. Incidents, like the SSRF attacks, can manifest because of inadequate validation and sanitization of responses. For instance, in January 2021, Parler faced security issues by allowing third-party APIs to access data without authentication. Attackers guessed URLs containing sensitive information and accessed the data without authentication.

Pro tip

By understanding these risks and implementing proper security measures, organizations can significantly mitigate the potential threats associated with APIs. Visit OWASP's API Security Top 10 to get a detailed breakdown of each risk.

API security for SOAP, REST, and GraphQL

Each of the three primary API architectures—SOAP, REST, and GraphQL—has its own unique security implications.

API ArchitectureSecurity Implications
SOAP API SecuritySOAP is a streamlined, XML-based messaging protocol designed for exchanging structured data in decentralized computer networks. It's adaptable across various protocols such as HTTP and SMTP. SOAP's security layers incorporate both transport layer security (like HTTPS) to encrypt data in transit and message-level security, including XML digital signatures, to uphold message integrity. By following Web Services (WS) specifications, which offer standardized guidelines, SOAP provides robust security features such as WS-ReliableMessaging for enhanced error-handling.
REST API SecurityREST APIs employ JSONs for data representation and rely on HTTP/s for data transfers, streamlining the development process. Since REST lacks inherent security mechanisms, its security is contingent upon the design of the API. Implementing security measures in data transmission, deployment, and client interactions is essential. Typically, REST APIs rely on protocols such as HTTPS and employ token-based authentication to enhance security.
GraphQL API SecurityGraphQL, an open-source API language, functions both as a query language and a runtime for query execution. Its strictly typed schema ensures data consistency. However, its flexibility can be a double-edged sword: complex, unfiltered queries could lead servers astray, potentially running malicious requests. Adopting security practices like throttling, setting query depth limits, and implementing query timeouts can mitigate these vulnerabilities.
Pro tip

Is your company developing applications with GenAI? Just like any other multi-tenant service, GenAI-incorporating applications can suffer from traditional API vulnerabilities. Learn how to deploy generative AI models as part of your multi-tenant cloud apps securely.

API Security Standards

The key to keeping your APIs safe is by upholding better API security standards. You can start by adhering to the following points:

API discovery and inventorying

Your API security tool should offer and inventory of all APIs that are detected and effectively exposed to internet

To safeguard an API, you need to be aware of its existence first. Continuous automated discovery and inventorying using scanners is crucial to detect all API endpoints and understand their parameters and data types.

Identify API risks & vulnerabilities

Example of an AWS Lambda exposing an API to the internet and storing a secret that allows for lateral movement

Recognizing your system's vulnerabilities is critical to keeping APIs safe. Stay updated with system components, identify potential weak points in your API lifecycle, and employ multi-layered security against threats that were covered in OWASP's top API risks, bot attacks, and DDoS attacks.

Use encryption

Encrypted APIs are less prone to breaches. Leveraging signatures ensures only authorized users can access and alter data. Methods such as TLS encryption protocols effectively safeguard API data.

Implement strong authentication and authorization

Authentication verifies the user, typically using API keys or basic access authentication, while authorization ensures users access only permitted data, often achieved via Role Based Access Control (RBAC). Both are vital for robust API security. 

Use rate limits and throttling

DoS and DDoS attacks present serious threats to your operations, and APIs are a common vector. By enforcing quotas and rate limits, you can thwart such threats and additional risks, such as credential stuffing.

Use an API gateway

Managed APIs reduce vulnerabilities. Since API gateways serve as in-between mediators for clients and backend services, they can authenticate traffic and enhance your API security.

A New Approach to API Security

As we discussed, API security starts with the discovery of APIs and inventorying. Existing solutions for API security are mostly based on agents and network scanners. However, these fall short of giving complete visibility and are also complex to deploy as well. With the Wiz Dynamic Scanner, Wiz has brought a new and modern approach to API security.

With its agentless scanning for all of the major cloud providers, Wiz Dynamic Scanner analyzes all the cloud layers of your deployment, making it possible to detect any risk components and attack paths that might be present in your cloud environment. 

This approach gives you complete visibility to identify all your APIs that are exposed to the internet, along with their associated context so you can get a full understanding of what is exposed and what the blast radius might be if they were exploited. 

To get a more clear understanding and see how it behaves for your environment, schedule a demo with Wiz to see for yourself how it works and all the features it provides.

An agentless, contextual approach to API security

Learn how with Wiz, customers can now simply answer the question of where do I have exposed APIs in my environment with all the context associated with the execution environment.

Get a demo

API Security FAQs

Continue reading

Cloud Sprawl Explained

Wiz Experts Team

Cloud sprawl is a phenomenon that involves the unmanaged growth of cloud-based resources and services.

CSPM vs DSPM: Why You Need Both

Wiz Experts Team

Discover the similarities between CSPM and DSPM, what factors set them apart, and which one is the best choice for your organization’s needs.

Container monitoring explained

Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.

Data Exfiltration Explained

Wiz Experts Team

Data exfiltration is when sensitive data is accessed without authorization or stolen. Just like any data breach, it can lead to financial loss, reputational damage, and business disruptions.

Kubernetes RBAC Explained

Kubernetes role-based access control (RBAC) serves as a foundational security layer within Kubernetes. It is essential for regulating access to the K8s API and its resources, allowing organizations to define user roles with specific permissions to effectively control who can see or interact with what resources within a cluster.