What is API Security?
APIs (Application Programming Interfaces) are a key part of digital transformation strategies, and securing those APIs is a top challenge. APIs are a rapidly growing attack surface that isn't widely understood and can be overlooked by developers and security managers.
What are APIs?
Let’s let OWASP API Security Project take this: “APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”
How API Based Apps are Different?
Again, from OWASP:
- The server is used more as a proxy for data
- The rendering component is the client, not the server
- Clients consume raw data
- APIs expose the underlying implementation of the app
- The user’s state is usually maintained and monitored by the client
- More parameters are sent in each HTTP request (object IDs, filters)
How is API security different from general application security?
API Security focuses on strategies to mitigate the unique security risks of APIs. Traditional vulnerabilities are less common in API-Based apps:
- SQLi – Increasing use of ORMs
- CSRF – Authorization headers instead of cookies
- Path Manipulations – Cloud-Based storage
- Classic IT Security Issues - SaaS
Why is API security important?
API security is important because businesses use APIs to connect services and to transfer data, and so a hacked API can lead to a data breach. API abuse issues have roughly doubled over the past 4 years, according to the 2019 Application Security Risk Report by Micro Focus Fortify. The data shows 35% of the analyzed Web applications had API abuse problems, and the incidence increased to 52% for mobile applications.
What is the OWASP API Security Top 10?
What API Security Solutions does Micro Focus have?
Fortify scan APIs with Fortify WebInspect:
- WebInspect detects exploitable vulnerabilities in web applications and APIs using fast, integrated and automated dynamic analysis.
- Scan basic API’s in seconds with support for OpenAPI (Swagger).
- For more advanced API scanning scenarios, use WebInspect’s Postman integration to support unique workflows, complicated authentication, and custom parameter requirements.
NetIQ Secure API Manager
- NetIQ Secure API Manager offers a single solution to create, manage, secure and measure the APIs that your company uses. Working together with Access Manager, Secure API manager provides a comprehensive access and security solution for all your web, mobile and API access requirements.
- Check out the NetIQ API Manager Datasheet
Watch these demos on our Fortify Unplugged YouTube channel: