API安全基础：构建知识，保护企业

IntroductionAPIs have evolved rapidly from an implementation detail to a strategic enabler of digitalinnovation. Every time a customer, partner, or vendor engages with a business digitally,there’s an API behind the scenes facilitating a seamless data exchange.As APIs proliferate, so do their risks. In the race to quickly create and release newapplications and AI-enhanced services, the underlying APIs are too often misconfigured,lacking in security controls, and vulnerable to easily executed attacks.As a result, APIs have emerged as a top attack vector, leaving many security teams toplay catch-up with their API security strategies. Therefore, API security is quicklyemerging as a top strategic priority for IT and security executives.Whether you’re looking to ground yourself in API security basics or are assembling a listof the right questions to ask, this guide offers the details you need to know, including:•The different types of APIs•What API security means for businesses today•Best practices for addressing API security risks•Common API attack and abuse methodsTo go directly to API security best practices, you can skip ahead to page 10. Table of ContentsAPI basicsAPI security risks and abuseAPI security explainedAPI security solutions and trends 4–913–1810–1219–22 API basicsWhat is a web API?A web application programming interface, or API, consists of one or more endpoints of adefined request–response message system, typically expressed in JSON or XML, which arepublicly exposed via the web — most commonly by means of an HTTP-based web server.In other words, a web API is what most people think of when they hear “API.” It’s acollection of endpoints. Endpoints consist of resource paths, the operations that can beperformed on these resources, and the definition of the resource data (in JSON, XML,Protobuf, or another format).Web APIs are different from other APIs, such as those exposed by the operating systemor by libraries of applications running on the same machine, but the general term “API”usually refers to a HTTP-based (web) API, especially in the context of enterprise digitaltransformation and API security.What are the most common types of APIs?The following table contains terms that refer to different usage models and technicalapproaches for API implementations. Web APIs are defined as being based on HTTP, andthe four main types of web APIs seen today are RESTful, SOAP, GraphQL, and gRPC.The table defines these common types, as well as others. What is the difference between APIs and endpoints?People often use “API” when they are really referring to a single API endpoint. APIs,sometimes called services or API products, are collections of endpoints that serve abusiness function. An individual endpoint, on the other hand, is a resource (or resourcepath, also known as a URI or uniform resource identifier) along with the operationperformed on it (create, read, update, or delete). In RESTful APIs, operations are typicallymapped to the HTTP methods (POST, GET, PUT, and DELETE).What is a north-south API?These are APIs that an organization leaves accessible to the outside world, primarily toconduct business with its business partners. This is called API exposure. For example:APIs are the connective tissue that allows disparate organizations to exchangedata. North-south APIs are often considered safe because access is authorized andauthenticated. Typically, this is the fastest-growing and largest volume of APIs,and consequently, it is the largest attack surface for most organizations.What is an east-west API?These are APIs that an organization uses internally and should not be accessible toanyone outside the business. These APIs connect internal applications or business unitsor departments. It is possible for a developer to make a mistake that makes east-westAPIs accessible by accident. These APIs are not meant to be accessible or even knownby external entities, but breaches do happen when threat actors find east-west APIsaccessible via the internet.Banks embracing open banking may expose their data to other fintech orfinancial services organizations via APIs.Healthcare organizations may expose patient records to insurancecompanies and other medical organizations via APIs.Hospitality organizations may expose their reservation systems to travelagents or aggregators via APIs. What are the differences between B2C APIs and B2B APIs?Business-to-consumer (B2C) APIs power web and mobile applications. They are typicallyconsumed by modern front-end clients to allow authenticated end users access to thecompany’s business functionality.Business-to-business (B2B) APIs are offered by the organization to other organizations toconduct business and sometimes to provide value to joint customers.B2B APIs help streamline how an enterprise works with its suppliers, resellers, and otherpartners and how it provides better experiences to its customers.Examples of B2B APIs include:Since the consumers of the APIs differ greatly, the s