Understanding the NCSC’s New API Security Guidance
Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one.
Inside the NCSC’s API Security Guidance
The NCSC outlines seven foundational pillars for API security, with each addressing a specific set of risks that APIs face in today’s threat landscape. Let’s take a closer look:
Secure Development Practices
The NCSC champions embedding security by design, starting with thorough threat modelling. This means defining APIs using standard specifications (like OpenAPI), version controlling them, and developing them in secure environments. Crucially, testing should go beyond “happy path” scenarios to include negative and fuzz testing. Maintaining secure asset governance, such as through comprehensive API inventories, is also vital to prevent unmanaged or forgotten endpoints from becoming vulnerabilities.
Authentication and Authorization
Robust identity management is core to API protection. The NCSC advises against weak methods such as basic authentication or simple API keys and, instead, recommends token-based methods like OAuth 2.0 and OpenID Connect. Credentials should always be short-lived, stored securely, and resistant to replay attacks. Authorization logic, on the other hand, must strictly adhere to the principle of least privilege, default to denying access, and revalidate permissions with every request.
Data in Transit Protection
All API communications must be encrypted using up-to-date TLS configurations. For private or highly sensitive APIs, the NCSC recommends Mutual TLS (mTLS) to enforce two-way authentication. Common pitfalls to avoid include using outdated TLS versions and weak cipher suites.
Input Validation
Preventing injection attacks and logic flaws relies on validating inputs at multiple layers, from the user interface right through to the backend. This requires both syntactic (format-based) and semantic (contextual) checks. The NCSC encourages using schemas, allow lists, and centralized validation libraries to minimize the risk of inconsistent or incomplete validation.
DoS Attack Mitigation
APIs need strong protection against high-volume and resource-exhaustion attacks. The NCSC suggests implementing throttling and rate-limiting to manage load and identify anomalies. Comprehensive logs are also essential to track spikes, helping differentiate between legitimate traffic surges and malicious abuse.
Logging and Monitoring
Organizations must log key events, such as failed logins or permission changes, and continuously monitor for real-time anomalies like sudden traffic spikes or brute-force attempts. These logs must not include any sensitive data and be managed centrally to facilitate swift incident response.
Limiting Exposure
Excessive endpoint exposure significantly increases attack surfaces. The NCSC advises decommissioning unused endpoints, locking down privileged routes, and blocking known malicious IP addresses. Ideally, APIs should only be exposed to trusted users or communities. Moreover, the NCSC recommends using API gateways to enforce consistent access controls and integrate with broader infrastructure defenses like Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS).
How Wallarm’s Solutions Can Help
NCSC Guidance Area | Wallarm Capability |
Secure Development Practices | API Discovery and Inventory: Automatically detects and catalogs all internal and external APIs, including shadow, rogue, zombie, and deprecated endpoints.API Security Testing in CI/CD: Integrated with DevOps pipelines to perform pre-production scanning and misconfiguration detection. Security Control Testing: Verifies that deployed protections effectively block attacks. |
Authentication and Authorization | Authentication Vulnerability Detection: Identifies endpoints missing authentication or authorization layers.API Specification Enforcement and BOLA Protection: Ensures endpoints accept only spec-conforming traffic and mitigates insecure object reference attacks. API Abuse and Credential Stuffing Detection: Detects token replay, brute-force, and unauthorized access attempts. |
Data in Transit Protection | Integration with TLS/mTLS Deployments: Wallarm processes encrypted traffic inline or out-of-band, compatible with private APIs deploying TLS or mTLS safeguards, preventing downgrade attacks or weak cipher usage. |
Input Validation | Deep Syntax Parsing and Attack Detection: Inspects payloads for SQLi, XSS, RCE, and path traversal at all request levels. Specification Enforcement: Blocks requests or responses that deviate from OpenAPI/GraphQL schemas. GraphQL Protections: Prevents nesting abuse, batching, and excessive data exposure. |
DoS Mitigation | L7 DDoS Protection and Rate Limiting: Detects and throttles layer-7 floods and implements configurable rate limits. Behavioral Detection: Identifies resource exhaustion and bot-driven DoS through anomaly correlation. |
Logging and Monitoring | Complete Observability and Alerting: Logs request-level metadata, redacts sensitive content, and supports session reconstruction and real-time anomaly alerts. SIEM Integrations: Pushes metadata to external systems like Splunk PagerDuty, and Slack. |
Limiting Exposure | Attack Surface Management: Discovery endpoints automatically, flags unused or deprecated ones. API Specification Enforcement: Rejects unauthorized routes not defined in specs. Gateway/WAF Integration: Functions in line with API gateways and WAF to enforce controls and block malicious IPs. Bot/Malicious IP Blocking: Detects and blocks scrapers, bots, and known malicious sources. |
Find Out More About How Wallarm Can Help
The NCSC’s guidance offers a practical, well-rounded framework for securing APIs in today’s threat landscape. But translating these principles into practice requires visibility, automation, and proactive defense. Wallarm makes that possible, combining continuous API discovery, runtime protection, and security testing in one unified platform. To see how it works in your environment, book a demo today.
Source link