Business & Technology

Securing Your APIs This Holiday Season

By Brian Schwarz | December 04, 2020

It’s no surprise that, this year, e-commerce continues to grow as people increasingly rely on online shopping. In November, the U.S. Department of Commerce reported that e-commerce increased almost 37% in Q3 2020 compared to the previous year and it’s safe to predict that we’ll see that growth continue to accelerate as the holiday shopping season kicks into high gear. As a result, we have already seen a rise in cyberattacks on the web infrastructure that supports these shopping habits and will likely continue to do so through the rest of 2020. In fact, Fortinet’s FortiGuard Labs has reported a steady increase in e-commerce attacks recently. 

If you’re responsible for that infrastructure, you have two imperatives that don’t always play well together. The first imperative is to deliver the kind of dynamic and engaging shopping experience that gets buyers to purchase, and the second is to secure the rapidly changing web application that delivers that experience. And the attack surface of those applications isn’t what it used to be. Increasingly, those web applications expose APIs to the outside world so that your customers can purchase using mobile applications – HTML isn’t just being pushed out anymore.

Securing Your APIs 

Certainly, one way to secure these APIs is to implement rigorous coding standards. Sensitive data shouldn’t be made available to the client unnecessarily. Rate limits should be imposed to prevent abuse of the API for bulk data harvesting. The server should be doing the heavy lifting, so the API shouldn’t enable mobile clients to download data above and beyond what’s required. Only well-vetted authentication and encryption protocols should be used. And good coding practices, such as avoiding the issues outlined in the OWASP API Security Top 10 (the younger sibling of the more familiar OWASP Top 10) should be followed. But what if you’re not the developer, and your responsibility is securing the deployment of an application?  

Relying on your DevOps team may not be the best place to implement security controls for your API. Application developers are typically evaluated on feature delivery, uptime, and other metrics. Ideally, security is somewhere on their list, but in practice, consistently making security a top priority is a challenge, especially when a DevOps team may not have extensive cybersecurity skills. Even when a development team does focus on application security, having multiple application teams implementing their own approaches to application security can leave your security team in the dark. Without a clear view of security events across all of your web applications, you are exposing your applications — and your organization — to unnecessary and serious risk.  An external security control is critical to give you the control and visibility you need.   

A Web Application Firewall With API Security Protects Organizations From Online Shopping Threats

For years, the industry has been deploying Web Application Firewalls (WAFs) to protect applications from common threats like SQL injection attacks and cross-site scripting. But as the digital attack surface continues to grow, organizations need to extend the WAF concept to encompass Web Application and API Protection (WAAP). What form should the API security take? Your solution needs to support the following basic API gateway capabilities:

  • Protection against automated attacks, including rate limiting to prevent abuse of your API for either credential abuse or bulk data harvesting
  • The ability to manage API keys that can enable access to specific APIs for your trusted business partners
  • The ability to implement a positive security model, validating users input against the developer’s own definitions, in OpenAPI or other formats

If you’re deploying APIs to support mobile e-commerce applications for your customers (or, really, for any other kind of application), adopt a WAF solution that includes API security. And if you’ve already deployed the API and do not yet have a security solution in place, it is not too late to implement one. A solution like FortiWeb Cloud—with its included API security module—can be easily deployed and managed within minutes, supporting organizations in either scenario.

Explore how FortiWeb Cloud can secure your APIs with a free trial available through AWS, Azure, and Google Marketplaces. 

Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud. 

Read these customer case studies to see how Hillsborough Community College and WeLab implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.