Modern businesses manage tens of thousands of APIs. While this interconnectedness fosters innovation and agility, it also creates a costly, sprawling attack surface. In 2022 alone, U.S. companies were estimated to have lost up to $23 billion from compromises linked to APIs, and 59% of organizations were forced to slow the rollout of new applications to production owing to API security concerns.

Although developers are largely responsible for creating and managing APIs within an organization, they rarely have access or control over the networking tools needed to secure them. To minimize API risk, developers must have the power to build them securely from the start. Here are the security measures and tools required to achieve the best results.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

API Security Best Practices

APIs are designed to help applications talk to one another — meaning they often have access to company and customer data, including financial information and transaction records. This is no secret, and is why hackers often target APIs, especially those exposed to network requests. To mitigate this risk, developers must implement security best practices across every API they build, including adding authentication and authorization, access controls and encryption for all API requests and responses.

Authentication and Authorization

Effective API security relies on authentication (who users are) and authorization (what users can do) to control access to resources. Client-side applications must include a token within the API call, allowing the service to validate the client’s identity through authentication using a standard like OAuth 2.0, OpenID Connect or JSON Web Tokens. Then, authorization should determine what actions are allowed for the authenticated client. This ensures that users or devices have only the minimum permissions required to perform specific tasks, following the principle of least privilege.

Access Controls

Any API that grants third-party access to internal systems and data should include robust access controls and monitoring. Developers can implement these controls through middleware to verify user identity, determine permitted actions and define when those actions are allowed to take place and for how long. Middleware can also rate limit and enforce security policies such as geo-fencing, I/O content validation and data sanitization. For advanced protection, developers must place APIs behind an API gateway, firewall or web application firewall using HTTPS to encrypt communication and filter out malicious traffic.

Encryption

Encrypting API requests and responses can help protect against eavesdropping and data breaches. Developers must use HTTPS as the communication protocol to encrypt all traffic and safeguard sensitive information such as credentials and data exchanged between the API and its clients. They can enable HTTP Strict Transport Security (HSTS) instead of redirecting to ensure API clients always use HTTPS, preventing accidental information leaks due to insecure connections. By building encryption into the core of the API, developers can ensure sensitive data remains protected during communication.

Improving API Security With Developer Access to Networking Tools

These best practices can greatly reduce the risk of API security breaches, but many developers don’t have direct access to the tools required to implement them. API gateways, which are used to manage API traffic, introduce risk because developers don’t have control over them. This increases the likelihood of a broken contract between the API services and traffic management, which can result in downtime and weakened security due to misconfigurations.

Developer-defined API gateways can eliminate this friction and streamline the deployment process. They allow developers to establish secure connectivity to their APIs by integrating ingress directly into them. Declaring ingress, which encompasses capabilities such as high performance, resilience, security and observability, directly in the application can simplify the development process and reduce security and performance incidents. Developers can ensure that API requests contain the exact parameters expected by the API to eliminate the risk of a broken contract, unauthorized access and more.

Giving developers access to robust traffic management tools like API gateways allows them to build secure APIs from the start. Combining that functionality with authentication and authorization, access controls and encryption can greatly reduce the instances of API-related compromises, all while improving time-to-market and performance. Developers are already tasked with creating and managing APIs; they must also be empowered to secure them easily.