5 ways to keep API integrations secure – Help Net Security
API integrations often handle sensitive data, such as employees’ personally identifiable information (PII), companies’ financial information, or even clients’ payment card data.
Keeping this data safe from attackers—while ensuring that the integrations perform at the desired level—requires adopting several security measures.
Taking these measures will only grow in importance since more and more organizations are looking to build customer-facing API integrations (i.e., product integrations). (After recently polling 260 product managers and engineers for our 2024 State of Product Integrations Report, we found that 83% of companies have identified product integration as one of their top priorities for this year.)
Organizations can build secure internal and customer-facing API integrations at scale by taking the following steps:
Adopt a holistic approach to security by using an API gateway
An API gateway uses several methods to minimize and prevent threats across API endpoints. These include the following (among others):
- Logging API requests so that they can easily be audited
- Applying global rate limits to avoid potential abuse and serve users more equitably
- Blocking requests from specific IP addresses and/or regions that are known for carrying out malicious activities
Use scopes to follow the principle of least privilege
Even after a user is authenticated and authorized, they likely shouldn’t (and don’t need to) access all the data from a given endpoint.
For example, a user needs specific details – first name, last name, manager, and job title – on employees from the company’s human resources information system (HRIS). The user should be able to get this information through an API request, while not being able to retrieve highly confidential information they don’t need (e.g., employees’ social security numbers and banking information).
Since scopes can define custom permissions for an access token, they can help facilitate scenarios like the one above. If an access token were to fall into the wrong hands, scopes prevent many negative consequences, as the individual who gets the access token can only access a limited set of data and functionality.
Regularly update software to minimize areas of weakness
To ensure that an application’s vulnerabilities get patched and that its security capabilities constantly improve, the application should be updated as often as possible.
One way to do this is by turning on alerts when an update is available for a given application. And if that’s not an option, other approaches exist, such as updating the operating system or using a third-party tool that can automatically update the application.
It’s worth noting that even when an application has the latest update installed, it can still present security risks. A static application security testing (SAST) tool can help identify and address any that exist in an updated application.
Enforce a specific rate limit for a given API endpoint
Rate limits can prevent a potential attacker from overwhelming an API endpoint so that real users can’t access it (i.e., a denial-of-service attack); it can control a flood of requests that come from multiple sources (i.e., a distributed denial-of-service attack); it can slow down brute force attacks; and it can prevent data scraping.
Aside from its security benefits, rate limits are worth using for a variety of other reasons: they help control costs, ensure reliable performance, reduce errors, enable the API provider to maintain compliance with specific data privacy regulations, and more.
Funnel logs to an SIEM solution to uncover security issues on time
Analyzing the logs from API calls at scale can be extremely time-intensive, as this requires combing through thousands, if not millions, of logs over time. Analyzing logs manually can also lead to costly human errors, such as missing a log that shows a potential security threat.
To make it easier to review logs and address any of the security issues they reveal, they can be added to a real-time security information and event management (SIEM) solution.
Through the SIEM solution, a predefined team or employee can receive real-time alerts on suspicious activities. The solution can also combine the logs with other data it stores to pinpoint more complex threats.