Developing Best Practices for API Security

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

APIs are pivotal to the overall success of a digital transformation. They allow developers to work across the digital assets and across multiple systems with ease. More organizations are adopting API initiatives, and are approaching digital transformations with an API-first attitude, according to a report from Google.

“Some 58% say top API initiatives emphasize speeding up new application development; 47% include creation of a developer platform among their core API projects; 32% are using APIs to develop B2B partner programs; and 10% are focused on monetizing APIs to unlock new revenue streams,” the report stated.

But with increased use of APIs comes increased security risks, largely because developers struggle with API security for mobile use. One major reason is that too many developers don’t follow security best practices in the design and development phases.

Two Levels of API Security

To create best practices for API security, developers need a better understanding of where the organization’s specific security pain points are. Sam Rehman, chief information security officer, EPAM Systems, said in an email interview that there are two specific areas to consider when thinking about and developing an API security best practices list: the strategic/design level and the tactical level.

“From a strategic/design level, APIs prioritize access and reusability,” Rehman explained. “It allows others to take advantage of what has already been built without reinventing the wheel. Then, they can build on top of what has already been tested, scaled out and, hopefully, properly managed.”

API designers want to create flexibility to enable API use for various purposes, so they focus on providing as many features and access points to the core functionality as possible. The design of the API also has to take into consideration the constant changes and upgrades necessary to deliver new features.

“Although this flexibility benefits many, it also creates an opportunity for attackers to exploit the system by using factors like multiple entry points and the large attack surface, for example. At the strategic and design level, flexibility and opportunities for attack act as opposing…