…As Federal agencies seek to incorporate an application programming interface (API) strategy into their IT modernization initiatives, a word of caution: make sure you have API-specific security integrated into your IT infrastructure.
OWASP has identified five key steps for protecting APIs. The organization recommends that agencies should fully understand the threat model and what defenses they have in place, especially as it concerns the often overlooked APIs that are tying everything together. Their specific advice can be broken down into five major points. They include:
- Ensure that you have secured communications between the client and your APIs.
- Ensure that you have a strong authentication scheme for your APIs, and that all credentials, keys, and tokens have been secured.
- Ensure that whatever data format your requests use, that the parser configuration is hardened against attack.
- Implement an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references.
- Protect against injection of all forms, as these attacks are just as viable through APIs as they are for normal apps.