Your browser is not supported

For the best experience, use Google Chrome or Mozilla Firefox.

What is API Security?

bg

Overview

APIs (Application Programming Interfaces) are a key part of digital transformation strategies, and securing those APIs is a top challenge. APIs are a rapidly growing attack surface that isn't widely understood and can be overlooked by developers and application security managers.

What are APIs?

Let’s let OWASP API Security Project take this: “APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

How are API-Based Apps Different?

Again, from OWASP:

  • The server is used more as a proxy for data.
  • The rendering component is the client, not the server.
  • Clients consume raw data.
  • APIs expose the underlying implementation of the app.
  • The user’s state is usually maintained and monitored by the client.
  • More parameters are sent in each HTTP request (object IDs, filters).

How is API security different from general application security?

API Security focuses on strategies to mitigate the unique security risks of APIs. Traditional vulnerabilities are less common in API-based apps:

  • SQLi – Increasing use of ORMs.
  • CSRF – Authorization headers instead of cookies.
  • Path Manipulations – Cloud-based storage.
  • Classic IT Security Issues - SaaS.

Why is API security important?

API security is important because businesses use APIs to connect services and to transfer data, so a hacked API can lead to a data breach. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface.

API Usage Continues to Rise

According to Forrester, from December 2020 to June 2021, the percentage of API traffic that was malicious grew 85%. In December 2021, Cloudflare reported that API calls accounted for 54% of total requests and increased 21% from February to December 2021. Attackers have taken notice and increased their focus on APIs.

bg

API security testing is part of the core capabilities in the Gartner MQ for Application Security Testing.

APIs have become an essential part of modern applications (e.g., single-page or mobile applications), but traditional AST toolsets may not fully test them, leading to the requirement for specialized tools and capabilities. The ability to discover APIs in both development and production environments and test API source code, as well as the ability to ingest recorded traffic or API definitions to support the testing of a running API, are typical functions.

What is the OWASP API Security Top 10?

OWASP recently announced the API Security Top 10 Release Candidate. Read more about the OWASP API Security Project (and check out presentation deck in the Quick Links section). Here is the top 10:

  • API1 - Broken Object Level Authorization
  • API2- Broken User Authentication
  • API3 - Excessive Data Exposure
  • API4 - Lack of Resources & Rate Limiting
  • API5 - Broken Function Level Authorization
  • API6 - Mass AssignmentAPI7 Security Misconfiguration
  • API8 - Injection
  • API9 - Improper Assets Management
  • API10 - Insufficient Logging & Monitoring

Fortify helps with API Security

API Security with Fortify:

  • Attack Surface Coverage – Discover new and shadow API endpoints automatically during testing and identify the breadth of endpoints with OpenAPI, Swagger, Odata, or WSDL schemas.
  • API Authentication – API authentication is varied and complex. Fortify supports virtually all types of bearer tokens and implementations.
  • Vulnerability Detection – Ever-expanding coverage of API-specific vulnerabilities affecting areas such as bearer tokens or GraphQL introspection.
  • Scan Automation – Scale API testing with enterprise-grade orchestration delivered via SaaS, hosted, or on premise.

Watch these demos on our Fortify Unplugged YouTube channel

Resources

Assets

What is Application Security?
What is DevSecOps?
What is Open Source Security?
Fortify Unplugged YouTube Channel
Fortify Integration Ecosystem
Fortify Community
Wikipedia article: Web API security
TechBeacon article: OWASP API Security Top 10: Get your dev team up to speed
TechBeacon article: 8 essential best practices for API security
TestGuild Security Podcast: How to Security Test Your APIs with Troy Hunt
What is DAST?
Infographic: AppSec Cheat Sheet
What is Cyber Resillience?
Forrester Wave: Static Application Security Testing
Fortify Customer Success Stories
What is OWASP Top 10?

Related Products

Fortify Application Security

End-to-end application security testing.

View portfolio page

Fortify on Demand by OpenText™

Fortify on Demand offers a complete application security as-a-service (AppSec SaaS) solution with SAST, DAST, IAST, RASP, SCA (open source security), and developer security training.

View product page

Fortify Static Code Analyzer by OpenText™

Static Application Security Testing (SAST) with Fortify Static Code Analyzer identifies exploitable security vulnerabilities in source code.

View product page

Fortify WebInspect by OpenText™

Fortify WebInspect dynamic application security testing (DAST) software finds and prioritizes exploitable vulnerabilities in web applications.

View product page

NetIQ Secure API Manager by OpenText™

Secure and manage APIs of any kind: cloud, SaaS, web-services, micro-services, or IoT.

View product page

Fortify Software Security Center by OpenText™

Fortify Software Security Center integrates and automates application security testing with visibility across the entire AppSec program, covering SAST, DAST, IAST, RASP, and SCA.

View product page
    See all related products
    API Security

    Get started today.

    Learn more
    release-rel-2023-9-2-9373 | Wed Sep 20 05:02:54 PDT 2023
    9373
    release/rel-2023-9-2-9373
    Wed Sep 20 05:02:54 PDT 2023
    AWS