Cyberlands.io - API Penetration Testing
API Security Guide

TOP-12 API Security Controls

In API world HTTP requests from users can unexpectedly change in volume and velocity, making back-end behaviour unpredictable. This can be a result of malicious effort aimed at negatively impact your digital systems, so it should be tracked and prevented by security controls

There we would write down TOP-12 API security controls targeting the confidentiality of your user records and availability of your services.

API Development Controls

  1. API Documentation. Proper documentation (like Swagger) is essential to maintain the sustainable development and operation of your API.

  2. API Schema Checks. An API should adhere to the industry-accepted standard (OpenAPI), and the easiest way to achieve it is to employ API Schema checks.

  3. Authentication. Employ authentication before processing a request - each request should come from an authenticated user. Authentication protocols like OAuth is a great help there.

  4. .Authorisation - is another excellent tool limiting access to what is necessary for performing specific tasks. This limits exposure to an attacker and limits potential financial losses if your cloud provider bills you for over-usage.

  5. Logging. Logging is your eyes, no logging means no clue what and why happened with your API endpoint or back-end.

API Operations Controls

  1. API Limits & Usage Management policies are traffic rules for your API. Among them are geolocation access control, API rate limiting - spike arrest, concurrent rate-limiting, geo-fencing and geo-velocity checks, API throttling and API Quotas.

  2. API Shielding. No API should have direct access from the Internet. Mobile Apps, CDN, API Gateway or WAF are popular ways to implement API Limits & Usage Management policies.

  3. API Monitoring shows you how fast your API is and allows you to see time spent by various layers of your application to process a request.

API Security Controls

  1. API Discovery. Sometimes APIs left unattended by security teams or even there is "shadow APIs". API Discovery control finds all APIs and reports them to Security Team.

  2. API Pentest. A penetration test is the most flexible way to test API security controls. As an API penetration testing provider, we recommend design and implement your API security controls before ordering API Penetration Testing Service.

  3. API DDoS Simulation. Nowadays, almost all DDoS Simulations are API DDoS Simulations, checking back-end and API's ability to process users' requests and effectiveness and correctness or API Limits and Usage policies.

  4. API Security Monitoring. Last and most advanced security control is API Security Monitoring. This control aimed at serving the last line of defence - detecting anomalies in API request sequences and API queries.

Afterword
12 API Security Controls allows any application to be secured - no matter when and how it was built. Nevertheless, they work best in combination with each other. If you want to continue your journey in securing your digital startup/service check our "Cybersecurity for Fintech MVP" guide.

Also, you could significantly faster and easier implement API Security Monitoring for your GraphQL or REST API if you employ specialised API Security Suites, and you can check API Security Suites comparisons below:

  1. apisec vs Data Theorem
  2. apisec vs IMVision
  3. apisec vs Traceable
  4. Data Theorem vs Traceable
  5. Data Theorem vs 42Crunch
  6. sqreen vs IMVision
Alex Bodryk
Cyberlands, Co-founder & managing director