NIST Draft API Security Rules For Businesses

NIST has released new draft guidelines for API security. These rules aim to help businesses protect their web applications from online threats.
By Newsroom | Technology, Government |

The National Institute of Standards and Technology (NIST) has published a draft of Special Publication (SP) 800-228A, offering guidelines for the secure deployment of RESTful web APIs. This document, now open for public comment, addresses the security vulnerabilities inherent in these widely used interfaces, analyzing threats across both pre-runtime and runtime phases.

The draft outlines a framework for implementing controls to mitigate identified threats. NIST is soliciting feedback on the publication, with comments and questions to be directed to [email protected].

RESTful APIs, described as the most prevalent type, leverage standard HTTP protocols and operate within a stateless architectural framework. They manage and exchange data as "resources," forming a critical communication bridge for modern web applications. Their simplicity, broad browser compatibility, developer tool ecosystem, and efficient caching mechanisms, while advantageous, also create avenues for exploitation.

Read More: Telarix and Telesmart Partner for Cloud Number Service Growth

A note within the draft specifies a call for patent claims, a detail also present in previous iterations of related publications.

The draft SP 800-228A is the latest in NIST's ongoing work to provide guidance on cybersecurity. While not explicitly stated as mandatory, NIST frameworks, such as SP 800-228, often inform compliance requirements and best practices within organizations. Discussions around SP 800-228, for instance, have touched upon the necessity of clear API specifications and maintaining visibility into an organization's API inventory.

Other NIST publications, like those detailing Digital Identity Guidelines (SP 800-63A, B, C) and continuous monitoring practices (SP 800-137), underscore NIST's broad engagement with cybersecurity across various technological domains. Best practices for API security often include elements such as API gateway implementation for centralized traffic management and robust authentication mechanisms.

Read More: Canada Immigration Staff Misconduct Cases Revealed

Frequently Asked Questions

Q: What has NIST released regarding API security?
NIST has released a draft of Special Publication 800-228A, which offers new guidelines for making RESTful web APIs more secure. This is important for businesses that use these APIs to connect their applications.
Q: Why are these NIST API security guidelines important for businesses?
RESTful APIs are used by most modern web applications, but they can have security problems. These guidelines help businesses understand and fix potential threats that could affect their data and services.
Q: What is the next step for the NIST API security guidelines?
The draft is now open for public comments until a set deadline. Businesses and experts can send their feedback and questions to NIST to help improve the final version of the guidelines.
Q: How do these NIST guidelines help protect web applications?
The guidelines provide a framework for businesses to put controls in place to reduce security risks. They cover threats that happen before an API is used and while it is being used, helping to keep applications safe.