2024API安全基本现状白皮书 英文版 .docxVIP

W

WHITE

PAPER

APISecurityFundamentals:

BuildYourKnowledge,SecuretheEnterprise

Introduction

APIshaveevolvedrapidlyfromanimplementationdetailtoastrategicenablerofdigitalinnovation.Everytimeacustomer,partner,orvendorengageswithabusinessdigitally,there’sanAPIbehindthescenesfacilitatingaseamlessdataexchange.

AsAPIsproliferate,sodotheirrisks.IntheracetoquicklycreateandreleasenewapplicationsandAI-enhancedservices,theunderlyingAPIsaretoooftenmisconfigured,lackinginsecuritycontrols,andvulnerabletoeasilyexecutedattacks.

Asaresult,APIshaveemergedasatopattackvector,leavingmanysecurityteamstoplaycatch-upwiththeirAPIsecuritystrategies.Therefore,APIsecurityisquicklyemergingasatopstrategicpriorityforITandsecurityexecutives.

Whetheryou’relookingtogroundyourselfinAPIsecuritybasicsorareassemblingalistoftherightquestionstoask,thisguideoffersthedetailsyouneedtoknow,including:

? ThedifferenttypesofAPIs

? WhatAPIsecuritymeansforbusinessestoday? BestpracticesforaddressingAPIsecurityrisks? CommonAPIattackandabusemethods

TogodirectlytoAPIsecuritybestpractices,youcanskipaheadtopage10.

|2

TableofContents

APIbasics 4–9

APIsecurityexplained 10–12

APIsecurityrisksandabuse 13–18

APIsecuritysolutionsandtrends 19–22

|3

APIbasics

WhatisawebAPI?

Awebapplicationprogramminginterface,orAPI,consistsofoneormoreendpointsofadefinedrequest–responsemessagesystem,typicallyexpressedinJSONorXML,whicharepubliclyexposedviatheweb—mostcommonlybymeansofanHTTP-basedwebserver.

Inotherwords,awebAPIiswhatmostpeoplethinkofwhentheyhear“API.”It’sacollectionofendpoints.Endpointsconsistofresourcepaths,theoperationsthatcanbeperformedontheseresources,andthedefinitionoftheresourcedata(inJSON,XML,Protobuf,oranotherforma