Your browser is not supported

For the best experience, use Google Chrome or Mozilla Firefox.

What is API Security?

APIs (Application Programming Interfaces) are a key part of digital transformation strategies, and securing those APIs is a top challenge. APIs are a rapidly growing attack surface that isn't widely understood and can be overlooked by developers and application security managers.

What are APIs?

Let’s let OWASP API Security Project take this: “APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

How API Based Apps are Different?

Again, from OWASP:

  • The server is used more as a proxy for data
  • The rendering component is the client, not the server
  • Clients consume raw data
  • APIs expose the underlying implementation of the app
  • The user’s state is usually maintained and monitored by the client
  • More parameters are sent in each HTTP request (object IDs, filters)

How is API security different from general application security?

API Security focuses on strategies to mitigate the unique security risks of APIs. Traditional vulnerabilities are less common in API-Based apps:

  • SQLi – Increasing use of ORMs
  • CSRF – Authorization headers instead of cookies
  • Path Manipulations – Cloud-Based storage
  • Classic IT Security Issues - SaaS

Why is API security important?

API security is important because businesses use APIs to connect services and to transfer data, and so a hacked API can lead to a data breach. API abuse issues have roughly doubled over the past 4 years, according to the 2019 Application Security Risk Report by Micro Focus Fortify. The 2018 data show 35% of the analyzed Web applications had API abuse problems, and the incidence increased to 52% for mobile applications.

API security testing is one of the innovation factors in the Gartner MQ for Application Security Testing.

Organizations are...moving from more traditional monolithic web applications to more modern applications such as those that make heavy use of client-side JavaScript (and invoke many server-side APIs) or ones that utilize microservices architecture. This results in smaller distinct units of functionality and often results in an explosion of web APIs to interact with those microservices. Security testing of APIs is currently a challenge for organizations, which need better capabilities to automatically discover APIs and conduct testing than what current DAST and SAST technologies offer.

What is the OWASP API Security Top 10?

OWASP recently announced the API Security Top 10 Release Candidate. Read more about the OWASP API Security Project (and check out presentation deck in the Quick Links section). Here is the top 10:

  • API1 - Broken Object Level Authorization
  • API2- Broken User Authentication
  • API3 - Excessive Data Exposure
  • API4 - Lack of Resources & Rate Limiting
  • API5 - Broken Function Level Authorization
  • API6 - Mass AssignmentAPI7 Security Misconfiguration
  • API8 - Injection
  • API9 - Improper Assets Management
  • API10 - Insufficient Logging & Monitoring

Micro Focus helps with API Security

Fortify scan APIs with Fortify WebInspect:

  • WebInspect detects exploitable vulnerabilities in web applications and APIs using fast, integrated and automated dynamic analysis.
  • Scan basic API’s in seconds with support for OpenAPI(Swagger).
  • For more advanced API scanning scenarios, use WebInspect’s Postman integration to support unique workflows, complicated authentication, and custom parameter requirements.

Watch these demos on our Fortify Unplugged YouTube channel:

How does NetIQ Secure API Manager work?

  • Secure API Manager offers a single solution to create, manage, secure and measure the APIs that your company uses. Working together with NetIQ Access Manager, Secure API manager provides a comprehensive access and security solution for all your web, mobile and API access requirements.
  • Learn more: NetIQ API Manager Datasheet

Watch this demo on our NetIQ Unplugged YouTube channel:

 

Fortify Application Security

End-to-end application security testing.

Learn more

Fortify on Demand (FoD)

Fortify on Demand offers a complete application security as-a-service (AppSec SaaS) solution with SAST, DAST, IAST, RASP, SCA (open source security), and developer security training.

Learn more

Fortify Static Code Analyzer

Static Application Security Testing (SAST) with Fortify Static Code Analyzer identifies exploitable security vulnerabilities in source code.

Learn more

Fortify WebInspect

Fortify WebInspect dynamic application security testing (DAST) software finds and prioritizes exploitable vulnerabilities in web applications.

Learn more

NetIQ Secure API Manager

Secure and manage APIs of any kind: cloud, SaaS, web-services, micro-services, or IoT.

Learn more

Fortify Software Security Center

Fortify Software Security Center integrates and automates application security testing with visibility across the entire AppSec program, covering SAST, DAST, IAST, RASP, and SCA.

Learn more

Additional Resources

What is Application Security?
What is DevSecOps?
What is Open Source Security?
Fortify Unplugged YouTube Channel
Fortify Integration Ecosystem
Fortify Community
Wikipedia article: Web API security
TechBeacon article: OWASP API Security Top 10: Get your dev team up to speed
TechBeacon article: 8 essential best practices for API security
TestGuild Security Podcast: How to Security Test Your APIs with Troy Hunt
What is DAST?
Infographic: AppSec Cheat Sheet
What is Cyber Resillience?
Forrester Wave: Static Application Security Testing
Fortify Customer Success Stories
What is OWASP Top 10?
release-rel-2022-09-02-hotfix-8033 | Thu Sep 29 14:23:06 PDT 2022
8033
release/rel-2022-09-02-hotfix-8033
Thu Sep 29 14:23:06 PDT 2022
AWS