Deep dive on PCI DSS 4.0 API Security Requirements

API Security Best Practices

December 26, 2022
API Security Best Practices

Application Programming Interfaces (APIs) are the building blocks of modern-day applications. This software-to-software interface enables seamless collaboration and communication between applications and consumers. APIs power SaaS and cloud apps, mobile apps, micro-services, serverless functions, IoTs and even no-code frameworks.

Every organization is building more and more APIs to gain an edge in the already competitive marketplace. Unfortunately, on the flip side, APIs have become a lucrative target for malicious actors as they provide direct access to crown jewels in the organization – the application servers and the associated databases. APIs, by nature, expose application logic and sensitive data such as Personally Identifiable Information (PII), driven by the organization’s need to deliver better user experiences. Moreover, APIs start at the most untrusted and insecure places, i.e., users, and so the attractive targets for hackers. In fact, as per Gartner, APIs will be largest attack vector bypassing all other methods by 2022.

So, how can you secure your APIs?
 Most organizations have already deployed multiple layers of security solutions to secure the applications. However, they are unable to detect or prevent API attacks. It’s interesting to note that even the largest technology companies including top cloud-vendors like AWS, Azure, Google, Oracle, Twitter, Meta etc. are struggling with API attacks and have themselves suffered multiple API breaches. It’s not hard to imagine state of most other organizations who don’t have similar resources or technical manpower. This is because, most of the organizations leverage traditional security solutions like Static & Dynamic Application Security Testing (SAST/DAST) products, WAF, RASP, and API gateways that only focus on known attacks and have limited view of network sessions and don’t have complete visibility into production environments. On the other hand, API attacks are application specific and exploit flaws in business logic that require very deep understanding of application’s dataflow patterns that are blind spots of traditional security solutions.

Cognizant of these challenges, we have curated some security best practices that help you secure your APIs effectively:

API Security Best Practices

With organizations becoming digital entities, protecting businesses and applications, especially the foundational APIs, against business logic exploits, frauds, data-breaches are getting more important than ever. Here are some of the API security best practices that help address all these challenges:


1.  Authentication

Once a user or a program sends the request, the API must perform authentication to verify the identity before processing the request and giving required access. Generally, an API authentication comprises a password, multi-factor authentication or authentication tokens. Among various auth protocols, the OAuth protocol is the most sought-after standard for user authentication due to its unique security features.


OAuth allows users to login third-party applications without requiring the third-party service provider to store their passwords. It is built on HTTP, making it most suitable for REST APIs. OAuth empowers API admins with the right to grant access tokens to pre-approved third parties, without any need to expose user credentials. It also enables admins to establish custom access rules to accept the API requests.


Every API in the organization should be cross-checked for right authentication. All unauthenticated APIs should go through a multi-level review to make sure it’s not a mistake and is not leaking important data in the response.

2. Apply user throttling and rate limiting

User throttling enables an API to closely analyze every request it receives from a user or service. It is an effective measure against spamming, abuse, or DDoS attacks. To implement a throttle, you must be clear on how much data can be allowed per user as well as the limit after which no further calls are permitted.

On the other hand, rate limiting helps secure REST APIs against DoS and brute-force attacks. If required, Devs can set soft limits to allow more than the limited number of requests for a short time period. Such timeouts are quite a common security tactic as they can manage synchronous and asynchronous requests.

3. Prioritize API security testing

When creating an app development pipeline, consider API security testing as a key aspect, not an afterthought. Build your CI/CD progression and QA coverage with newly deployed or changed APIs in mind. Shift API security testing to the left, so that APIs are verified, monitored and secured from an early stage.

Unsecured APIs are basically semi-open doorways waiting to be breached for unauthorized access. Data loss usually translates to major losses in time, money, effort and market value for brands, so dev teams have plenty to lose if API testing doesn’t become a mainstay of all QA brainstorming sessions.

4. Consistently monitor API ecosystems

Most organizations building software applications end up with hundreds or thousands of APIs. Unfortunately, many of these are often not documented properly at the time of their creation, or even after. This hinders security teams from gaining complete visibility into the APIs, making it challenging to monitor or manage them, giving rise to Shadow and Zombie APIs.


To be secured against attacks, all APIs must be closely documented, tracked and managed at all times. The complete audit and log data of APIs should be available at all times to make it easy for troubleshooting in case of any issues.

Additionally, each API should be tracked across multiple layers of change, update and functional evolution. However, achieving this entire requirement is challenging for in-house teams without draining out massive time and money into building a suitable monitoring platform. It is much easier to do the same with a reliable, third-party security solution dedicated to APIs, such as AppSentinels.

5. Practice zero-trust and least privilege

The foundational security principles such as zero-trust and least privilege are proven ways to prevent internal data exposure to malicious actors.

Zero-trust principle ensures that any request for data access (by users, systems, devices or programs), whether coming from within or outside an organization’s network, be appropriately authenticated and continuously validated before granting the required access. No one is trusted enough for unrestricted access anymore. On the other hand, the principle of least privilege ensures that all authorized personnel and assets should be granted only the minimum access necessary to accomplish a particular function.

When applied to APIs, it would mean that every API access request should be verified and provided with bare minimum data needed to complete a task, and not a digit more.

6. Prioritized automation of API ecosystem

To establish a security approach aligned with the demands of API-first functioning, automation is mandatory. You need an automated API environment that facilitates low-hassle security-driven development.

A few pointers in this regard:

  • Define a process for API life-cycle. It’s ideal to have a separate API platform team that manages various aspects of APIs.
  • Start with correctly identifying how the current API ecosystem works within the company. How many APIs? What are their main functions? Which departments/verticals are most dependent on APIs?
  • Ensure seamless access management so that authorized users can register and start using APIs in minutes.
  • Start configuring a system for seamless API publishing that aligns with location-based regulations. For example, privacy laws in one country may require that all API data stays within the country. Several organizations are using automated tools that publish APIs so developers don’t have to. Such a tool can be shaped to publish country-specific APIs, as well as track metrics and monitor API performance.
  • Create simplified access paths to relevant API metrics. You should know how each API is being used, how many exist for each function, their quality ratings, the volume of API calls, and usage trends.

7. Shift Left, Shield Right

Once you have an automated ecosystem that helps analyze your API inventory, you can locate defects and remediate them before API publication. Consider implementing a shift-left policy that insists on greater emphasis on cybersecurity when APIs are being developed.


Use static analyses based on API contracts to verify that an API has been built following industry-specific best practices. Look for a DAST tool that supports API testing and provides coverage for OWASP API Top-10. The traditional DAST tools won’t qualify since they don’t understand the application behavior or context and are unable to find OWASP API Top-10 breaches. Integrate these tools into the CI/CD cycle.


However, even with the best shift-left practices, there will always be some vulnerabilities that hackers can potentially exploit. A shield-right approach comes into play here, enabling teams and enterprises to respond instantly to the first sign of unauthorized access or data breach.

Hence, for best results, companies must combine the approaches – shift left and shield right – to fortify APIs as much as humanly possible.

Achieve simplified, consistent API Security with AppSentinels

AppSentinels delivers far-reaching and real-time protection against unknown and known API attacks with multi-layer defense shield. Among its many security-focused features, a few standout ones are:

  • Run-time protection against business logic attacks via it’s various AI/ML models. These models build a deep understanding of the applicable behavior and monitor application usage, allowing detection and deflection of adversary activity. No more API blindspots.

  • Positive security enforcement by alerting on API’s not conforming to OpenAPI schema, eliminating shadow or zombie APIs.

  • Protection against known attacks via ng-WAF. Powered by industry-best Core Rule Set, the platform protects against common attack techniques like SQL-Injection, Cross-Site scripting (XSS), Command and File Injection, Server-Side Request Forgery etc.

  • Multiple checks on APIs to provide complete insight into possible misconfigurations and vulnerabilities. This checks for authentication mechanisms, token use, various header fields, cookies etc.


  • Protection against frauds and automated application misuse via APIs like protection for ATOs, credential stuffing, content scraping, carding attacks etc.

Leverage our AI Powered Multi-Layered Defense Shield to protect your APIs and applications against all unknown and known attacks. Our Intelligent Stateful API Test Platform shifts-left AI/ML learnings from the production environment to uncover business logic vulnerabilities in your application. The platform also provides SoC teams with all data required to defend against external attacks. It also delivers deep insights to developers to help them remediate security issues.

Leverage AppSentinels to Secure APIs Like Never Before!

Related Topics