A pragmatic approach for secure API development begins at the root of the journey, which is design. API design should dictate the architectural choices that in turn drive the API service implementation.
What is an API Mediation Layer?
An API mediation layer is an intermediatory API layer which sits between your API consumers and your internal APIs. This mediation layer allows you to define which APIs are exposed (in the form of an outer API) and customise these for different sets of API consumers.
How an API Mediation Layer Can Improve Security
The absence of an API mediation layer, which is often implemented with an API gateway, exposes your REST API endpoints to potential malicious interactions by threat actors.
An API mediation layer will allow you to simplify your security configuration as your security policies can be configured in one location and applied to all your outer APIs.
Given many larger enterprises are still burdened by legacy systems that host API functionality, an API mediation layer can also act as a partial risk mitigation control to apply modern security defences to those systems.
Whether your API systems are modern or dated, the API mediation layer can provide security to the following areas of your application:
Mapping to authentication and authorisation controls
Sanitising responses for redundant or confidential information
Translating HTTP data between different data interchange formats
Mapping custom legacy protocols to RESTful equivalents
Mapping parameters from internal APIs to external APIs (e.g. headers, URLs, and POST data parameters)
Translating a SOAP service into a RESTful API contract
In particular where APIs are being developed with the intention of interfacing with several backend applications and services, the design of the API meditation layer should be driven by the systems, data and actions of the API.