A New Resource for API Security Best Practices
The applicative infrastructure is becoming more and more complex due to different requirements, design patterns, and technologies. In many of these cases, one of those requirements is to connect other parties to systems, and in other cases, to connect systems to other parties. Nowadays, the most common connection method is to use Application Programming Interfaces (APIs).
Examples for API connectivity include:
- Connecting a SaaS application – a SaaS provider connecting to an application to read or write information and provide insights
- Connecting customer platforms – connecting a customer application (CRM, ERP, BI)
- Connecting a security or monitoring provider to an intern
API Security Considerations
Both deploying an API and consuming an API exposes an organization to different threats that may result in various risk levels. Areas of risk include API accessibility, the volume of data involved, the sensitivity of the data, integration frequency, data retention, third-party trust, and third-party security.
Building a thoroughly secure applicative infrastructure requires a planned, detailed, and on-going organizational process that enables the IT security / cybersecurity team to provide security architecture-related input about different components of the applicative infrastructure and the development lifecycle. As security practices and controls can be carried out across development, testing, and implementation ecosystems, security teams should provide guidelines that cover all these areas – which is not a simple task.
Security Guidelines for Providing and Consuming APIs
Enter the new Cloud Security Alliance (CSA) document – Security Guidelines for Providing and Consuming APIs. This new initiative is intended to be used by CISOs, Application Security Architects, Software Developers, and other related IT security personnel. The document focuses on providing these guidelines in a manner that corresponds with the development cycle phases of Design, Development, Testing, Implementation, and Monitoring.
The document provides a framework to tackle the aforementioned task in a thorough manner and consists of a usable list of security considerations to estimate the risk involved with a specific connectivity and a technical checklist of security controls that are divided in the document by the different phases of the development lifecycle. It can also be used as an internal reference or the basis for the creation of in-house standards and processes.
Scope of the Document
The document is composed of two parts:
- Risk assessment for connectivity: The purpose of Part 1 is to understand the risk associated with third-party connectivity and the business impact.
- Control checklist for secure connectivity: The purpose of Part 2 is to provide security controls for third-party access. There are two parts to this checklist: ingress access and egress access.
There are also four appendices, covering two additional use cases of secure connectivity:
A. Mapping the controls checklist to OWASP API security top ten
B. Reading/writing internal data directly to a local infrastructure service (i.e., accessing a bucket or direct database access)
C. Connecting third-party applications or components from marketplaces
Using the new document, organizations will be able to benefit from the secure establishment of APIs or third-party connectivity based on industry best practices and recommendations.
Download the full paper, Security Guidelines for Providing and Consuming APIs, to learn more.