12 Practices and Tools to Ensure API Security
Here's a scary fact - nearly 99% of businesses have experienced API security issues in the last 12 months. I'm pretty sure that you might not be part of that 1% - or you wouldn't be reading this article. Or maybe you are part of the 1% and are trying stay a part of it by keeping up with the latest trends. Either way - API security is clearly not easy to implement. Part of the issue is that the types and number of threats are constantly evolving, requiring new tooling and techniques to combat them. To get a full picture of what practices and tools are most useful - I chatted with 12 technology leaders to understand what they are doing. Here's what they recommended:
- Implement API Rate Limiting and Gateways
- Adopt Zero Trust and MDR Services
- Use Role-Based Access Control
- Utilize Dynamic Secrets for Authentication
- Deploy AI-Driven Security for APIs
- Focus on Robust Encryption Protocols
- Employ Server-Side Processing for API Calls
- Use API Firewalls for Protection
- Conduct Continuous API Discovery
- Set Up API Honeypots
- Perform Regular Penetration Testing
- Implement a Defense in Depth Strategy
Implement API Rate Limiting and Gateways#
The best place to start when it comes to API security is centralization behind an API gateway. Gateways provide a single pane-of-glass for you wrangle all of your APIs behind. In addition to helping you catalog all of your endpoints, they let you apply policies like rate limiting consistently.Amit Doshi, Founder & CEO of MyTurn, implemented both of these:
"Ensuring API security is a top priority, especially considering the sensitive data we handle in the cybersecurity space. One specific practice we implement is API rate limiting to prevent abuse and minimize the risk of denial-of-service attacks. By setting strict limits on the number of API calls a user or service can make within a specific time frame, we ensure that our APIs are not overwhelmed and can handle legitimate traffic efficiently.
Additionally, we use API gateways to centralize and enforce security policies, such as authentication, logging, and rate limiting, across all endpoints. I highly recommend tools like Kong Gateway or AWS API Gateway for these purposes. They not only secure your APIs but also help streamline the management and monitoring processes, ensuring that your organization stays one step ahead in protecting sensitive information."
Just a quick plug - we at Zuplo are also in the API gateway space so if you're evaluating options, check out our Kong and AWS API gateway comparisons.
Adopt Zero Trust and MDR Services#
Zero Trust Architecture is all the rage these days in the security space. Zero Trust security takes a "trust nothing, verify everything" approach, treating every interaction as potentially harmful. Unlike traditional models, it continuously verifies each request, ensuring no assumptions are made about trustworthiness, regardless of origin. Ryan Carter, CEO/Founder of NetSharx, explains it in further detail:
"In the field of API security, my focus is on a holistic approach incorporating the Zero Trust model. Zero Trust ensures that every request is authenticated and authorized, regardless of its origin, which is crucial in today's threat landscape. Implementing solutions like automated token-based authentication for APIs reduces the risk of unauthorized access significantly.
One specific practice I recommend is the integration of Managed Detection and Response (MDR) services. These services monitor API traffic in real-time and ensure that any anomalies are caught early, preventing potential breaches. This approach helped a client reduce their average response time to security incidents by 40%, just by efficiently managing their API endpoints."
Frankly, I am not very well-versed in the MDR space, but I know that Akamai and Cloudflare both offer Zero Trust Network solutions.
Use Role-Based Access Control#
I've already written about how RBAC improves API permissions management so I won't go into too much detail here. For a brief explanation of RBAC, here's Roman Milyushkevich, CEO and CTO of HasData.
"Role-based access control (RBAC) ensures that users and applications only access the data and endpoints necessary for their tasks. It assigns granular permissions and monitors API usage patterns 24/7 to mitigate unauthorized access and misuse. The RBAC framework makes it easier to manage who can access specific data or perform certain actions within the API.
For instance, administrators, developers, and end-users are assigned distinct roles with specific permissions in our API ecosystem. Our developers have permissions that allow them to configure API endpoints, but they cannot view sensitive usage logs. Our administrators have permission to monitor analytics and view usage logs, but they cannot modify any API structure.
Implementing a hierarchical access structure helps us reduce the risk of errors, unauthorized access, and privilege misuse. It also allows us to streamline onboarding and offboarding clients/employees. When a new employee joins or leaves our company, we simply assign or revoke their role instead of auditing individual permissions, which can be time-consuming."
Once you implement RBAC - make sure you carefully monitor your systems to understand what your users or employees are doing, and it they have the right roles (lowest privilege possible). I have an article on RBAC analytics that might be useful for you.
Utilize Dynamic Secrets for Authentication#
Let's switch things up a little bit and talk about API security for consumers of APIs. Dynamic secrets are short-lived, unique credentials that are generated on demand. They are also known as "just-in-time" (JIT) codes. With dynamic secrets, users can access a resource for a temporary period with a defined set of permissions. This greatly reduces the impact of a lost/stolen API credential. Hashicorp has written at length about why we need dynamic secrets (primarily because Hashicorp Vault is a popular solution for this) but here's Lucas Wyland, Founder & CTO of Steambase for an example grounded in APIs:
"As an API consumer, I use dynamic secrets for authentication. Static API keys have a much bigger chance of exposure and pose security risks. This is why I am using a free dynamic secret manager that frequently rotates the keys. This leaves the attackers almost zero chance of exhausting my API limits.
If you also want to integrate a dynamic secret manager, make sure you set up the RBAC (Role-Based Access Control) to make sure that API keys have the least privileges needed to do the task. Also, I highly recommend setting up a secret injection instead of storing the keys in config files—this option is much more secure."
I definitely recommend creating an abstraction layer over APIs you consume, which is often known as an API integration platform.
Over 10,000 developers trust Zuplo to secure, document, and monetize their APIs
Learn MoreDeploy AI-Driven Security for APIs#
I bet you were wondering how long I could ramble on before mentioning AI. In the API security space - most of the chatter about AI is with regards to threats and attack vectors it can introduce. This is especially true when it comes to APIs - agents like operator are already using organization's APIs in ways they weren't intended to be used. It's so serious that OWASP recently published a Non-Human Identities vulnerabilities list. Luckily, we can fight fire with fire, and integrate AI into our API security stack to help defend against new threats. Stefan Van der Vlag, Founder of Clepher, made this recommendation:
"Traditional rate-limiting and Web Application Firewalls aren't always enough to detect sophisticated API attacks. I like AI-driven security platforms like Darktrace that use machine learning to analyze API traffic and flag anomalies based on behavioral patterns. This means the system can detect subtle threats, such as token manipulation or low-and-slow attacks before they escalate.
I recommend Darktrace because it goes beyond rule-based systems and can adapt to changing attack techniques. This tool also provides real-time visibility into API traffic, allowing organizations to quickly respond and mitigate any potential threats. I like its ability to integrate with existing security tools and its user-friendly interface, making it easy for our developers to use."
I haven't used Darktrace myself, but its definitely something I will check out in the near future.
Focus on Robust Encryption Protocols#
When it comes to security, sometimes we forget the very basics. Ensuring that data being sent over the wire is encrypted can mitigate several vectors around interception. Steve Payerle, President of Next Level Technologies had this to say about encryption and his security tech stack:
"In managing API security, we focus heavily on establishing robust encryption protocols. Having an API endpoint with data encryption ensures that sensitive information remains protected from unauthorized access. Specifically, we use TLS (Transport Layer Security) as a cornerstone for securing data in transit, providing a strong barrier against interception and tampering.
One tool we incorporate is Postman for API testing, ensuring all endpoints adhere to our security standards before deployment. For real-time monitoring and anomaly detection, we employ a mix of AI-driven solutions. These systems flag unusual activity patterns, allowing us to mitigate potential threats swiftly."
Whether its Postman, or some other end-to-end testing solution - it's critical to ensure data is encrypted across all of your endpoints that handle sensitive data. There are also many realtime API monitoring tools to choose from, but my personal picks are a combo of Moesif for API-specific analytics and DataDog for general analytics.
Employ Server-Side Processing for API Calls#
Okay - this should be pretty obvious right now, but I still see it all the time. Do not use API keys from your client-side application!. If an API you are working with requires an API key, you should proxy your call through a gateway or some other service, and securely store the key in a secrets manager. Karl Bagci, Head of Information Security at Exclaimer, has this recommendation for frontend devs:
"One of the most important elements when it comes to API security is to use server-side processing for any API calls. It helps to ensure API data cannot be leaked on the front end, keeping security keys and other vital information directly on the server. This includes using server-side rendering on our secure platform using React along with a framework such as NextJS."
If you are an API key issuer, please integrate with Github Secret Scanning to keep your users safe from themselves.
Use API Firewalls for Protection#
You might already be familiar with Web Application Firewalls (WAF), but here's the tl;dr from Adam Yong, Founder of Agility Writer, in case you are new to them:
"In our company, I make sure to use API firewalls to protect our systems from unauthorized access and malicious traffic. An API firewall acts as a gatekeeper, filtering incoming requests and blocking anything that looks suspicious before it reaches our core systems.
We use Cloudflare API Gateway because it provides strong protection against DDoS attacks, bot traffic, and injection attempts. It analyzes incoming requests in real-time and automatically blocks suspicious activity.
This helped us when we noticed an unusual spike in API requests coming from a single region. The firewall flagged it as a bot attack attempting to overload our servers. Because the firewall automatically blocked the suspicious traffic, we avoided any disruption, and our users never experienced any downtime."
Like Adam said - WAF is Cloudflare's bread-and-butter product offering, but Amazon also offers AWS WAF in case you want to stick to a single-cloud solution.
Conduct Continuous API Discovery#
If you've asked "is there an API for XYZ" before at a large enterprise, chances are that you will get a different answer depending on which team you are on. Without proper cataloging of APIs using an API definition specification like OpenAPI - internal developers will just build their own versions. Many of these will fall out of use and eventually evolve into security threats as their auth systems become outdated. Ayush Trivedi, CEO of Cyber Chief, had exactly this issue - here's how he resolved it:
"One specific practice I highly recommend is implementing continuous API discovery. It’s surprising how easy it is for APIs to proliferate across an organization, often without proper documentation or oversight. We use automated tools to regularly scan our network and identify all active APIs, including those that may have been forgotten or deployed without authorization—what we call “shadow APIs.”
We’ve found that this continuous discovery approach helps us maintain a comprehensive inventory of our APIs, ensuring that none slip through the cracks of our security protocols. It’s particularly useful for large organizations where different teams might be developing and deploying APIs independently.
In terms of tools, we’ve had great success with StackHawk for automated security testing. It integrates seamlessly into our CI/CD pipeline, allowing us to catch potential vulnerabilities early in the development process."
API discovery is mostly a band-aid over the fact that you weren't creating/generating OpenAPI specs in the first place. Consider adopting API development frameworks that automatically generate OpenAPI documentation (we have a good list of Python frameworks to pick from). You can import these specs into a tool like Zudoku to create a full catalog of endpoints.
Set Up API Honeypots#
Sometimes API security requires you to go on the offensive, and proactively implement methods to detect attackers. Kevin Baragona, Founder of Deep AI proposes a rather interesting solution:
"My go-to choice is to set up API honeypots, fake API endpoints that mimic real services but contain hidden security traps. If a bad actor interacts with these endpoints, I can gather intelligence on their attack methods and proactively block similar attempts on real APIs.
Tools like CanaryTokens or custom-built honeypots are best to alert security teams when unauthorized API access is attempted. For instance, a CDN Token can be set as a custom API header or parameter and notify the security team when it's accessed."
This is a pretty smart defense against hackers who try and guess/probe API endpoints based on reused path formats. You can send them back some fake data while identifying the culprit.
Perform Regular Penetration Testing#
Penetration testing is a common practice for ensuring your APIs can handle various attacks - including the OWASP top 10 API risks. Sometimes you can do this yourself, but it can also be worth it to hire an external firm to perform it for you. Rafay Baloch is the CEO and Founder of REDSECLABS, a security firm that performs pen-testing. Here's his recommendation:
"One practice I would like to suggest is penetration testing. It simulates real-world attacks, and finds misconfigurations or unknown vulnerabilities. Alongside this, zero-day exploit monitoring means that you are not behind the curve on new threats.
Burp Suite is a useful tool for testing, [alongside] real-time threat monitoring systems."
I'd definitely advise you to be careful in choosing a pen-testing firm, the worst thing to have is an illusion of safety when there are vulnerabilities that were not discovered.
Implement a Defense in Depth Strategy#
At the end of the day, none of the recommendation above will suffice on their own. It's only through the combination of all of them that you can even begin to understand your APIs' vulnerabilities, if they are being exploited, who is exploiting them, and how to stop them. At every layer of your API tech stack - development, infrastructure, developer portal, integration, etc. - security should always be an omnipresent consideration. This is known as Defense in Depth - and it ensures that API security is everyone's problem at your company. I'll leave you with a Defense in Depth strategy from Evgeny Kapylski, Technical Expert at Vention:
"We prioritize a Defense in Depth strategy for API security, integrating multiple layers of protection to address evolving threats. Our approach is centered on the following key principles:
- API Gateways: We leverage API gateways as a centralized point for traffic management and security enforcement, including rate limiting, IP whitelisting, and authentication. This ensures secure and efficient handling of all incoming API requests.
- Zero Trust Architecture: Adopting a Zero Trust model, we continuously verify every request, regardless of origin. This minimizes the attack surface by ensuring strict access control and eliminating implicit trust within the network.
- Authentication with OpenID and JWT: We implement OpenID Connect for user authentication and use JWT for secure, token-based access control. This ensures only authorized users and applications can interact with our APIs, supporting scalable and flexible identity management.
- Continuous Monitoring: Real-time monitoring and logging are integral to our security strategy, allowing us to detect and respond to anomalies or potential security incidents promptly. We use several robust tools like Prometheus & Grafana, Splunk, AWS CloudWatch, Azure Monitor, and others.
By combining API gateways, Zero Trust principles, OpenID/JWT-based authentication, and continuous monitoring, we create a robust, scalable API security framework that adapts to emerging threats while delivering a secure user experience."
If you'd like to make your API more secure without sacrificing your developer productivity try Zuplo's API gateway today and discover how easy it is to secure your APIs with our developer-first API management platform.
