API Security: Blue Teaming Exercises

The first step to establishing your API security program is to obtain visibility. The proliferation of APIs across a distributed infrastructure inevitably leads to API sprawl, and most organizations don’t know how many APIs they have or how they’re utilized. Developers often stand up new APIs or reuse existing ones, but much of this is out of sight of security. As a result, the attack surface created by APIs is significantly larger than most organizations realize.

Once you know what APIs you have and are familiar with their functionality, it’s time to think about protecting them. Protection falls under three categories that most security professionals are familiar with: red teaming, blue teaming, and purple teaming.

API Security Blue Teaming

Blue teaming is the defensive side of security. This includes efforts to prevent, mitigate, and respond to security incidents. For the purposes of an API security program, blue teaming efforts should focus on the following:

(Note: the following is not an exhaustive list of protection mechanisms, but key concepts that will give your program a solid start.)

API Management Via API Gateway

An API gateway is a mediator between your APIs and external clients. API gateways manage the operational aspects that keep APIs running properly. API gateways cover a variety of operational tasks such as controlling access, translating RESTful requests to SOAP, or elastically scaling resources if there is a spike of traffic hitting an API.

Logging and Monitoring

To detect an attack, you need accurate and efficient logging of API activity. Capture all the events that occur and put the logs in a centralized tool or technology that is actively monitored and assessed, such as a SIEM or data lake. Monitor these logs and track API activity over time, identifying potential security threats and responding to incidents as they arise. Set up alerts to flag anomalous activity so you can get immediate notification and decide if a response is required.

API and Application Protection

Real-time scanning of all inbound and east-west API traffic is critical to effectively identify and block attacks, and can be accomplished with the support of technology. API threat protection solutions, for example, support all API infrastructures as well as many traditional web assets with the sole purpose of monitoring and identifying risky behavior and attacks. These solutions focus on understanding the API attack surface, detecting and blocking the ever-growing spectrum of modern API threats, and keeping up with the changing techniques attackers use to evade detection. An API threat protection solution can also provide an integrated view of risk, which is essential for repelling modern attacks and demands considerable expertise and focus to keep pace with evolving threats.

Oauth and Tokens

When it comes to authentication, a username and password are not typically passed in day-to-day API calls. Instead, Oauth and JWT tokens are the standard to authenticate to an API. An API key or bearer authentication token is passed in the HTTP header or in the JSON body of a RESTful API. Tokens should expire regularly. Most enterprises use an internal database or DLAP authentication store, though Oauth may be an option for highly public APIs.