API Security Trends 2023

Key Takeaways

  • API attacks are rising, with Forrester naming API security a top CISO investment priority for 2023.

  • Common threats include API key exposure, broken access control, insufficient logging/monitoring, and security misconfigurations.

  • API keys are insecure and easily stolen; token-based authentication with an identity focus is the modern standard.

  • Authentication & authorization: Use OAuth with scopes/claims and a centralized OAuth server (not the API gateway) to issue tokens, avoiding ad hoc solutions.

  • Zero trust: Apply "trust no one" principles to APIs via robust authorization and centralized trust, since perimeter security can't adequately protect internal APIs.

  • Discovery, monitoring & auditing: Regular audits help catch shadow, zombie, or rogue APIs, and prevent misuse of internal APIs.

  • Proper token use: JWTs are good for internal use but should be replaced with opaque tokens for external/public clients (e.g., via phantom token or split token patterns); always validate incoming JWTs.

On this page

APIs continue to be one of the most productive drivers of digital transformation, allowing streamlined access to applications, integrations between different systems, and more efficient data exchange. However, with the broader use of APIs comes a bigger problem — the number of API attacks is rising yearly. Forrester's 2023 security and risk planning guide names API security as a top technology for CISOs to invest in this year.

Thus, the focus on API security is a must for every organization that wants to protect itself from unnecessary risks and the loss of data, money, and reputation. Here we briefly outline API security and why it is crucial for businesses. We'll also highlight four key API security trends you should focus on to ensure your organization is safe.

What Is API Security?

How you define API security may vary depending on your perspective. For us at Curity, it encompasses the practices, processes, and products used to ensure APIs are secure, data can be transferred safely, and malicious attacks are prevented. It's a must to keep APIs, and the data provided through them, safe and only available to the intended user.

Why Should API Security Be a Top Priority?

The importance of APIs is hard to overlook. APIs power the connectivity of the digital world, help businesses meet customer needs, and drive business opportunities. They accelerate innovation, enhance growth, and improve user experience. But APIs must be securely protected to ensure they bring benefits rather than vulnerabilities. Robust API security measures not only protect your systems but also ensure they are usable and scalable.

What Are the Common API Security Threats?

Implementing API security measures can be a cumbersome task. Where should one start? Since it's difficult to predict what exact vector will be leveraged by attackers, organizations should address the most common API security threats and make sure their systems have sufficient security measures against them.

So far, some of the most common security threats are the following:

  • Accidental API keys exposure leading to data leakages

  • Broken access control due to authentication and authorization flaws

  • Insufficient logging and monitoring allow malicious agents to find and abuse a breach

  • Security misconfiguration leading to the exposure of sensitive data

Identity Focus in APIs

Before we proceed to the specific recommendations on API security measures to implement in 2023, we must emphasize the importance of an identity focus in APIs. API security is not a new concept, and best practices have evolved away from relying on API keys.

Even though API keys are generally not considered secure, many organizations still rely on them for managing access control. But API keys are easy to steal, and they can't be used to identify precisely who is accessing an API. Reliance on API keys can expose large amounts of data, making entire systems insecure and prone to deep attacks.

Since modern APIs are becoming more evolved with critical functionality, they require a different approach. Token-based authentication is the norm, but too often, a significant concern is overlooked: identity. Knowing that most attacks are identity-driven, it is crucial to ensure that robust security mechanisms are in place.

type: embedded-entry-inline id: 184ROWdXTRObZ8gAdbGkpK

4 API Security Best Practices for 2023

1. Proper API Authentication and Authorization

Another challenge for API security is using insufficient authentication and authorization measures, resulting in third parties gaining unsanctioned access to APIs. To prevent this from occurring, organizations should construct an API security system that does not require custom codes or ad-hoc solutions but is based on established security standards. 

Robust authorization can be achieved by implementing a token-based approach using OAuth. For performing authorization checks, make sure to use scopes and claims. Another thing to consider is using a centralized OAuth server. Placing your APIs — both public and internal — behind a gateway will allow you to increase security. However, the API gateway itself should not issue tokens.

Instead, a central OAuth server should issue tokens since it implements many complex processes like client and user authentication, client authorization, token signing, and more. These procedures involve handling a lot of data and keys used to sign the issued credentials. Only the OAuth server should perform such tasks. Centralizing the management of credentials and token issuance will allow you to mitigate the risks associated with ad hoc solutions and patches.

2. Zero Trust for APIs 

These past years have shown that zero trust is here to stay — more and more organizations are adopting a "trust no one" principle within their systems. It is logical to apply this principle to APIs, especially since many APIs become the object of attack due to the inability of traditional perimeter security to control access to internal APIs. Implementing zero trust in APIs requires several considerations but can be boiled down to robust authorization and centralized trust.

3. API Discovery, Monitoring, and Auditing

Constant monitoring and auditing have been essential API security best practices for a while. And in 2023, the significance of these strategies will only increase. Frequent auditing can help discover shadow, zombie, and rogue APIs. It also can help prevent viable APIs from being used for purposes they are not intended for, such as internal APIs being integrated within external applications.

4. Proper Use of Tokens 

Proper usage of tokens is an essential element of an API security strategy. As in many other areas of software development, it's critical to refer to the knowledge and experience of others. Software development practices continually evolve, and leveraging proven frameworks and methodologies can significantly enhance efficiency and security.

Staying informed about the latest advancements ensures robust, scalable, and secure applications. Many outsourcing software companies offer valuable insights and services to help businesses implement best practices in their software projects. When dealing with tokens, try to follow best practices and cheat sheets, and don't incorporate new technology only because it's trending.

For instance, JSON Web Tokens (or JWTs) have become one of the most widely used formats for access tokens. And there is no wonder why — JWTs are easy to use and can be validated by the service itself. However, it is of utter importance to remember that JWTs should only be used internally.

Using JWTs as access and refresh tokens is considered good practice. But when they are exposed outside of your infrastructure to third-party clients, you should use opaque tokens instead of JWTs. Techniques like the phantom token or split token patterns can allow opaque tokens to be used externally and JWTs to be consumed by your services.

Some other token-handling best practices to follow are: 

  • Always verify incoming JWTs.

  • Create or reuse libraries for JWT validation.

  • Use opaque tokens for external or public clients.

Conclusion

2023 will be the year of API security, and it is up to organizations to decide what level of investment they will give it to protect their names. Robust API security will help organizations meet customer needs and drive new growth opportunities, ensuring businesses stay afloat and prosper no matter what the new year brings. Therefore, it is of utmost importance to ensure that your API security strategy isn't overlooked and is based on the aforementioned best practices.

Related resources

Frequently Asked Questions

How does API security relate to identity management?

A combination of API security and identity allows APIs to make correct access decisions. Secure identity management ensures that API interactions are authenticated and authorized, preventing unauthorized access to services and data.

How well does the Curity Identity Server handle advanced API security?

The Curity Identity Server provides strong support for advanced API security and is well-suited for complex, high-security environments. It supports hardened token strategies (JWT or opaque tokens), mutual TLS, certificate-constrained access tokens, and advanced client authentication methods. Fine-grained authorization can be implemented using scopes and claims, enabling precise access control across APIs.

What are claims and why are they important?

Claims carry identity and context information in a token, helping APIs make fine-grained authorization decisions.

Can you use one access token across multiple APIs?

Yes, if the APIs share a common audience or trust domain. However, using scopes and audience restrictions is important to control and limit access to the right resources.