CIS API Security Guide v1.0.0

There are some key factors and changes in the web application industry. Both the trend of migrating existing services to the cloud (and newer companies being fully cloud-native) as well as the trends toward microservice architectures,have resulted in a radical increase in the number of Application Programming Interfaces (APIs) being used over the internet.

The outsourcing to third parties of service functionalities such as payment processing, identity management, shipment and delivery, etc. has resulted in highly valuable and confidential data being sent over the network. Security and design flaws in the APIs handling this data are leading to data breaches, which are exacerbated by the automatic nature in which APIs can be used to exfiltrate data once a weakness has been identified.

While the above situation is well understood, comprehensive resources for API security are still lacking. Many existing resources are general guidance or give only vague overviews of various threats and risks around APIs but cannot be used by an organization wishing to assess its own security posture around APIs, API development, monitoring, or other related activities. With this in mind, FireTail approached the Center for Internet Security^® (CIS^®) with the idea of developing a CIS Benchmark^® for API Security.

CIS has developed and published secure configuration guidance (i.e., Benchmarks) covering a wide variety of technologies for many years. However, where Benchmarks target specific technologies or providers, APIs are implemented across a diverse range of platforms and technologies. How can we ensure consistent security recommendations across this diverse landscape? 

The same challenges were previously encountered with the topic of supply chain security, which faces very similar considerations. It was decided to apply the same solution and instead of initially creating a specific Benchmark, a more general API security guidance document would be developed first to serve as the foundation for future platform-specific Benchmarks.

This guide covers security aspects in the key stages of API development, from design and development to deployment, operation, and eventually decommissioning. The overall vision is to support emerging API security standards and best practices with recommendations that can be used to set and audit configurations on a wide range of API platforms and technologies.

By publishing the CIS API Security Guide, CIS and FireTail hope to catalyze a vibrant community of subject matter experts (SMEs) interested in developing the platform-specific Benchmark guidance to come. We are calling on SMEs who develop or work with APIs to contribute to this project for the benefit of the entire API security community. In addition, this guide will be used to scope the creation of technology-specific API security Benchmarks.