We changed our name from IT Central Station: Here's why

Top 8 API Security Tools

NGINX App ProtectWallarm NG WAFSalt Security API Protection PlatformNoname Platform42Crunch API Security PlatformImvisionCloudVectorData Theorem API Secure
  1. leader badge
    The policies are flexible based on the technologies you use. We were looking for a product that is capable of complete automation and a container based solution. It's working.
  2. Helps us to monitor situation in regards to attacks to our sites and prevents a lot of them.
  3. report
    Use our free recommendation engine to learn which API Security solutions are best for your needs.
    564,322 professionals have used our research since 2012.

Advice From The Community

Read answers to top API Security questions. 564,322 professionals have gotten help from our community of experts.
Evgeny Belenky
Hi community, Which techniques and tools do you use to protect your APIs?
author avatarMarkus Müller (APIIDA)

Hi Evgeny, 

It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions. 

Usually, you move authentication from your upstream APIs to an API gateway. 

Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors. 

You can read more about API security in our blog: The Ultimate Guide to API Security - APIIDA

Hope this helps!

author avatarASHOK YADAV
Real User

1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.

2. JWT plugin provided in KONG can also be used for authorization purposes.

All these are JWT-based mechanisms. 

author avatarFaustine Chisasa
Real User

The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:

Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS

Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms

Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.

Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.

It is also important not to expose information on URLs.

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.

Commercial products might offer far greater checks, something we might look at in near future.