Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one. Inside the NCSC’s API Security Guidance The NCSC outlines seven foundational pillars for API security, with each addressing a specific set of risks that APIs face in today’s threat landscape. Let’s take a closer look: Secure Development Practices The NCSC champions embedding security by design, starting with thorough threat modelling. This means defining APIs using standard specifications (like OpenAPI), version controlling them, and developing them in secure environments. Crucially, testing should go beyond “happy path” scenarios to include negative and fuzz testing. Maintaining secure asset governance, such as through comprehensive API inventories, is also vital to prevent unmanaged or forgotten endpoints from becoming vulnerabilities. Authentication and Authorization Robust identity management is core to API protection. The NCSC advises against weak methods such as basic authentication or simple API keys and, instead, recommends token-based methods like OAuth 2.0 and OpenID Connect. Credentials should always be short-lived, stored securely, and resistant to replay attacks. Authorization logic, on…Read More
Understanding the NCSC’s New API Security Guidance
