API Security Checklist

This API Security Checklist from Salt Security will help you close the gaps in your API security strategy. Each item in the API Security Checklist is
arguably just as critical as the next, but don’t get overwhelmed. This API Security Checklist is provided to help you navigate through the top items in
area of best practices, and you may opt to emphasize sets of best practices where you already have technology investments or manpower. Here are
some suggestions on how to scope the problem and prioritize activities:

Security test your APIs, but know that you will also need posture governance to catch changes that don’t go through standard build process and
abuses that testing tools aren’t designed to find.

Ensure that you are covering all of your environments and your digital supply chain, which is more than just the APIs mediated by your API
gateways or API management suite.

If you do nothing else, focus on posture governance as a way to lower risk, create API security guardrails, and buy time for application and API
teams.
A: API secure design and development
You don’t need to reinvent the wheel with security requirements. The OWASP Application Security Verification Standard (ASVS) is a good source that is useful for all types of application designs. For this part of the API Security Checklist, be sure to include API integration,
and streamline threat modeling of APIs.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
A1 – Draft security requirements for building and integrating APIs
A2 – Include business logic in design reviews
A3 – Draft secure coding and configuration practices relevant to your technology stacks

B: API documentation
You don’t need to reinvent the wheel with security requirements. The OWASP Application Security Verification Standard (ASVS) is a good sourDocumentation is useful for the application and API teams that are building or integrating APIs. Adequate documentation also
provides benefits to a range of activities including design reviews, security testing, operations, and protection.ce that is useful for all types of application designs. For this part of the API Security Checklist, be sure to include API integration, and streamline threat modeling of
APIs.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
B1 – Use machine formats like OpenAPI Specification (OAS)
B2 – Repurpose API schema as a basic testing approach and protection approach
B3 – Have a contingency plan for documentation discrepancies and API drift

C: API discovery and cataloging

API documentation, while a best practice in itself, might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on created an accurate API inventory to
serve many IT needs within your organization.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
C1 – Discover APIs in lower environments and not just production
C2 – Include API dependencies, or third-party APIs
C3 – Tag and label APIs and microservices as a DevOps best practice

D: API Posture Governance

Posture governance refers to the ongoing assessment of your API security posture and how well it aligns with industry best practices. It includes processes and tools to maintain visibility into your API landscape and ensure compliance with security standards.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
D1 – Align API security posture with industry best practices (e.g., OWASP API Security Top 10)
D2 – Establish a process to identify all sensitive data in your APIs
D3 – Use a centralized platform to manage API posture governance rules across all environments
E: API security testing
Use traditional security testing tools to verify certain elements of an API implementation such as well-known misconfigurations or vulnerabilities, but realize these tools have limitations. No scanner is adept at parsing business logic, which also leaves organizations exposed
to major forms of API abuse.n, while a best practice in itself, might not be done consistently. Automated discovery of API endpoints, parameters and data types is crucial for all organizations. This section of the API Security Checklist focuses on created an accurate API
inventory to serve many IT needs within your organization.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
E1 – Statically analyze API code automatically as part of version control and CI/CD
E2 – Check for known vulnerable dependencies in your API code
E3 – Dynamically analyze and fuzz deployed APIs to identify exploitable code in runtime

F: Logging and monitoring

All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. This logging and monitoring data is also useful for constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
F1 – Define all the infrastructure, application, and API elements that must be logged
F2 – Factor in non-security use cases such as API performance and uptime measures
F3 – Allocate enough storage for API telemetry, which will lead you to cloud

G: API mediation and architecture

Any good API Security Checklist must include steps to follow for API mediation. Mediation will help you achieve improved visibility, accelerated delivery, increased operational flexibility, and improved enforcement capabilities, particularly when it comes to API access
control.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
G1 – Mediate APIs to improve observability and monitoring capabilities
G2 – Use mediation mechanisms like API gateways to enforce access control
G3 – Augment your mediation mechanisms with API security tooling that can provide deeper context

H: Network security
A primary goal of zero trust architecture is to enforce concepts of least privilege and restrict network access dynamically. However, connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
H1 – Enable encrypted transport to protect the data your APIs transmit
H2 – Use IP address allow and deny lists if you have small numbers of API consumers
H3 – Look to dynamic rate limiting and rely on static rate limiting as a last resort

I: Data security
Data security approaches aim to provide confidentiality, integrity, and authenticity of data, but 85% of organizations lack confidence that they know which APIs expose sensitive data (see the Q3 2021 State of API Security report). Use this API Security Checklist to reduce
exposures of sensitive data, which can lead to significant regulatory penalties, large-scale privacy impacts, and brand damage.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
H1 – Enable encrypted transport to protect the data your APIs transmit
H2 – Use IP address allow and deny lists if you have small numbers of API consumers
H3 – Look to dynamic rate limiting and rely on static rate limiting as a last resort
J: Authentication and authorization
When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like
API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
J1 – Continuously authenticate and authorize API consumers
J2 – Avoid the use of API keys as a means of authentication
J3 – Use modern authorization protocols such as OAuth2 with security extensions

K: Runtime protection
Any runtime protection you consider deploying should be dynamic and learn continuously. Use this API Security Checklist to enforce protections that identify misconfigurations in API infrastructure as well as behavior anomalies such as credential stuffing, brute forcing, or
scraping attempts.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
K1 – Enable threat protection features of your API gateways and APIM if available
K2 – Ensure that DoS and DDoS mitigation is part of your API protection approach

K3 – Go beyond traditional runtime controls that are dependent on rules, and make use of AI/ML and behavior analysis
engines to detect API attacks

L: Security operations
SOC analysts must often depend on application development and API project teams who best know the application architecture and logic of APIs. That details application and business logic are critical in digital forensics and incident response. You will need to emphasize
the people and process aspects of SecOps more than technology, and don’t just approach the exercise as “get a feed into Splunk.”

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
L1 – Account for the non-security and security personas involved in the complete API stack
L2 – Create API-centric incident response playbooks
L3 – Spare your SOC from burnout by surfacing actionable API events and not dumping data

M: API Security Incident Response

API security incident response refers to the processes and procedures for handling security incidents related to APIs. This includes identifying, containing, and eradicating threats, as well as recovering from attacks and learning from incidents to improve future security.

non-security security completed

priority owner owner target date date last reviewed status
Best Practice
M1 – Establish a clear API specific security incident response plan.
M2 – Conduct regular training and drills to ensure your team is prepared to handle API security incidents.
M3 – Use post-incident analysis to identify root causes and improve your API security posture.
API
Security
Checklist
Summary
Making your way through this entire API Security Checklist may feel overwhelming. Start by picking a few best practices areas as a starting point that are
most familiar. Expand over time and adopt additional best practices to avoid leaving gaps in your API security strategy. You can get more details on how to
implement these tactics in the Salt API Security Best Practices guide.

In many cases, purpose-built API security tooling can make it easier and more automatic to address the many elements of API security. Such platforms
support a range of capabilities throughout the API lifecycle and provide the necessary context to stop attacks and data exposures for your organization’s
unique API business logic.