As external APIs grow in popularity and endpoints proliferate online, security has become a hot topic in the API scene. But it’s one that’s not easily addressed.
Defining the scope of “API security” and working out which attack surfaces and vectors are relevant can be a challenge, as API requests and responses often traverse every part of a given architecture.
At the end of the day, security is a form of risk management, and there’s a large amount of relevant thinking to draw upon from that discipline.
Enter the Swiss Cheese Model.
Originally used to study accident causation in the engineering, healthcare and aviation disciplines, it’s now being increasingly referenced in an IT Security context, as a way of helping to visualise a “defence in depth” approach. It fits well with APIs, and the vivid image helps the concept stick with a wide audience.
In this recording of his live session at the apidays interface 2023 event, Terem’s Principal for APIs and Product Engineering Leon Andrews introduces a new and accessible way of thinking about API security, using the Swiss Cheese Model to illustrate the layers of defence that API transactions traverse.
By showing how API security can be thought of in terms of sometimes-penetrable layers, Leon shines a light on how complex API security concepts can be broken down into more manageable and understandable parts.
After discussing the layers themselves, Leon demonstrates how three common API attacks can be prevented by allowing each layer to play its own part in the process.
The video ends with a run-through of learnings, revealing how letting each layer do no more and no less than the job it was intended to do, is the best approach to take.