Progress announced the latest release of Progress® Flowmon®, the network observability platform with AI-powered detection for cyberthreats, anomalies and fast access to actionable insights for greater network and application performance across hybrid cloud ecosystems.
Lock It Up: How to Secure the API Gateway
June 06, 2024
API security requires a holistic approach to the design, implementation, maintenance, and lifecycle management of all things API. With API traffic making up almost 70% of all Internet traffic, they are a lucrative target for cybercriminals.
84% of organizations admit they don’t currently have advanced API security in their stack, so it’s unsurprising that API-related security incidents cost global businesses as much as $75 billion annually.
The Role of the API Gateway
In microservice-based software architecture, the API gateway serves as an intermediary between the clients and backend systems and offers a centralized interface for API management and configuration.
API gateways traditionally feature capabilities like rate limiting, load balancing, routing, monitoring, logging, authentication, caching, traffic encryption, and API analytics for business purposes.
Though API gateways are considered vital to ensuring the security of public-facing APIs, they are not comprehensive API security solutions since they are not equipped to address threats and risks like business logic vulnerabilities in your API code (because these are unique to every API). Considering just how important API gateways are to your software's functionality and security, you must implement the security measures necessary to protect them.
Securing Your API Gateway
There are five main areas of your API gateway that you must lock up.
1. Authentication and Authorization
Properly implementing and managing robust authentication and authorization protocols is the basis for a secure API gateway. It ensures that parties are allowed access only to the resources they should be allowed to access. You can:
■ Use standardized and secure authentication methods like OpenID Connect and OAuth 2.0, and manage user authentication through a centralized server. Avoid handling (or saving) credentials within the API gateway.
■ Enforce the least privilege principle and granular role-based access controls and policies (RBAC) to minimize potential abuse.
2. Rate Limiting and Throttling
The API gateway is the central point for communication with APIs. Hence, it is prone to floods in the form of denial of service (DoS) attacks – one of the main threats to API security and availability.
Limiting request rates and employing bandwidth throttling mechanisms within the API gateway helps prevent these attacks while maintaining system availability and performance and ensuring fair distribution of API resources among clients. It also aids in curbing brute force attacks and exploits that rely on overloading systems with bogus traffic.
3. Secure Configuration, Request Handling, and Management
Zero trust API gateway security entails a secure-by-design approach to configuring and managing various aspects and functions of your API gateway. These include:
■ Reduce the API gateway attack surface by implementing secure defaults and enabling minimum feature functionalities (plus disabling the unused ones).
■ Maintain an up-to-date catalog of all APIs and their usage to ensure you’re not harboring shadow and zombie APIs (forgotten but still functional or hidden from view APIs) that unnecessarily expose your systems.
■ Enforce encryption everywhere with TLS/HTTPS protocols to ensure the confidentiality and integrity of data in transit to and from your API gateway.
■ Employ data and input validation, as well as request sanitization to protect against injection attacks (SQL, XSS, etc.) and prevent malformed or malicious payloads from reaching your systems.
■ Manage your API keys, secrets, and certificates using zero trust and least privilege access principles. Follow best practices for secret management, and take action to prevent unauthorized access to API resources or the management interface of your API gateway.
4. Regular Maintenance
Your API gateway is essentially a piece of software and, as such, needs regular configuration maintenance to address changes in business priorities and security patches and updates. To ensure your API gateway is not vulnerable to known threats and exploits in the wild, schedule regular software updates to it and, when possible, automate the update and patching processes.
5. Logging, Monitoring, Alerting, and Auditing
Monitoring, analyzing, and logging all of the traffic coming and going to and from your API gateways may require a great deal of computing resources. Still, it is necessary for several reasons.
■ Analyzing API gateway logs in context is one of the only ways to spot malicious activity over time.
■ Detect and address anomalies in API usage in real time.
■ Alert relevant stakeholders with contextual information.
■ Streamline forensic analysis of attacks.
■ Generate the necessary reports for security compliance audits.
The API Gateway and Beyond
The key to securing an API gateway is a zero-trust approach that limits access to your APIs to genuine requests while eliminating the threats and risks that API gateways are designed to protect against.
That said, API gateways are just one facet of API security. They should be employed as part of an end-to-end API security strategy encompassing API design through development and after deployment with consistent monitoring and a proactive approach.
Industry News
October 17, 2024
October 17, 2024
Mirantis announced the release of Mirantis OpenStack for Kubernetes (MOSK) 24.3, which delivers enterprise-ready and fully supported OpenStack Caracal, featuring enhancements tailored for artificial intelligence (AI) and high-performance computing (HPC).
October 17, 2024
StreamNative announced a managed Apache Flink BYOC product offering will be available to StreamNative customers in private preview.
October 17, 2024
Gluware announced a series of new offerings and capabilities that will help network engineers, operators and automation developers deliver network security, AI-readiness, and performance assurance better, faster and more affordably, using flawless intent-based intelligent network automation.
October 17, 2024
Sonar released SonarQube 10.7 with AI-driven features and expanded support for new and existing languages and frameworks.
October 16, 2024
Red Hat announced a collaboration with Lenovo to deliver Red Hat Enterprise Linux AI (RHEL AI) on Lenovo ThinkSystem SR675 V3 servers.
October 16, 2024
mabl announced the general availability of GenAI Assertions.
October 16, 2024
Amplitude announced Web Experimentation – a new product that makes it easy for product managers, marketers, and growth leaders to A/B test and personalize web experiences.
October 16, 2024
Resourcely released a free tier of its tool for configuring and deploying cloud resources.
October 15, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of KubeEdge.
October 15, 2024
Perforce Software announced its AI-driven strategy, covering four AI-driven pillars across the testing lifecycle: test creation, execution, analysis and maintenance, across all main environments: web, mobile and packaged applications.
October 15, 2024
OutSystems announced Mentor, a full software development lifecycle (SDLC) digital worker, enabling app generation, delivery, and monitoring, all powered by low-code and GenAI.
October 15, 2024
Azul introduced its Java Performance Engineering Lab, which collaborates with global Java developers and customers’ technical teams to deliver enhanced Java performance through continuous benchmarking, code modernization recommendations and in-depth analysis of performance impacts from new OpenJDK releases.
October 10, 2024
AWS has added support for Valkey 7.2 on Amazon ElastiCache and Amazon MemoryDB, a fully managed in-memory services.
October 10, 2024
MineOS announced a major upgrade: Data Subject Request Management (DSR) 2.0.
