Question: Are APIs securely designed, authenticated, and protected from abuse and excessive exposure?
-
Objective — Why This Matters
APIs extend business reach but also expose attack surfaces. Lack of auth, rate limits, and validation leads to data leakage and DoS risks. -
Maturity Levels (0–5)
No auth or rate limiting on APIs.
Basic API keys; no input validation.
OAuth2 tokens and validation standards in place.
Central gateway handles auth, logging, and throttling.
Schema validation and threat protection policies applied.
Continuous discovery, runtime protection, and API behavior analytics.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Introduce API keys and basic authentication. |
| 1 → 2 | Move to OAuth2 and JWT-based auth. |
| 2 → 3 | Deploy API gateway (Kong, Tyk) for rate-limiting and logging. |
| 3 → 4 | Add schema validation (OpenAPI) and threat rules. |
| 4 → 5 | Implement runtime monitoring and anomaly detection. |
-
People / Process / Technology Enablers
People – Developers, API Architect.
Process – API review checklist, lifecycle management.
Technology – Kong, Tyk, 42Crunch, OWASP APISec Checklist. -
Evidence Required
Gateway configs, rate-limit rules, auth tokens policy. -
Metrics / KPIs
• percentage of APIs covered by gateway policies
• number of abuse attempts blocked per month
• average response time under load -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Gateway | Kong OSS / Tyk Gateway | Central auth and rate limiting. |
| Testing | OWASP ZAP / Postman | Validate auth and input security. |
| Analytics | Grafana / Prometheus | Monitor API usage and anomalies. |
-
Common Pitfalls
Exposing internal APIs without auth; lack of quota control; no version management. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.9 / A.8.28. |
| NIST CSF 2.0 | PR.DS-3 / DE.CM-1. |
| CERT-In 2022 | API security requirement. |
| NIRMATA Scoring | AS-Q06 ≥ Level 4 requires gateway and validation controls. |