{"id":7919,"date":"2025-07-10T07:39:24","date_gmt":"2025-07-10T07:39:24","guid":{"rendered":"http:\/\/localhost\/?p=7919"},"modified":"2025-07-10T07:39:24","modified_gmt":"2025-07-10T07:39:24","slug":"understanding-the-ncscs-new-api-security-guidance","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=7919","title":{"rendered":"Understanding the NCSC\u2019s New API Security Guidance"},"content":{"rendered":"<h2>Security Update News<\/h2>\n<h3>Update Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">Understanding the NCSC\u2019s New API Security Guidance<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Update ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">WALLARMLAB:115616431306DBE4BE7F09E57B7F28A7<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">wallarmlab<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-10T11:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Last Updated<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-10T11:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>Security Impact<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #666666; font-weight: bold;\">NONE<\/td>\n<\/tr>\n<\/table>\n<h3>Update Details<\/h3>\n<div style=\"; padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nLegislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK\u2019s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we\u2019ll break down that guidance and explore how Wallarm\u2019s platform can help you align with each one. <\/p>\n<p>## Inside the NCSC\u2019s API Security Guidance<\/p>\n<p>The NCSC outlines seven foundational pillars for API security, with each addressing a specific set of risks that APIs face in today\u2019s threat landscape. Let\u2019s take a closer look: <\/p>\n<p>### Secure Development Practices<\/p>\n<p>The NCSC champions embedding security by design, starting with thorough threat modelling. This means defining APIs using standard specifications (like OpenAPI), version controlling them, and developing them in secure environments. Crucially, testing should go beyond \u201chappy path\u201d scenarios to include negative and fuzz testing. Maintaining secure asset governance, such as through comprehensive API inventories, is also vital to prevent unmanaged or forgotten endpoints from becoming vulnerabilities. <\/p>\n<p>### Authentication and Authorization<\/p>\n<p>Robust identity management is core to API protection. The NCSC advises against weak methods such as basic authentication or simple API keys and, instead, recommends token-based methods like OAuth 2.0 and OpenID Connect. Credentials should always be short-lived, stored securely, and resistant to replay attacks. Authorization logic, on the other hand, must strictly adhere to the principle of least privilege, default to denying access, and revalidate permissions with every request. <\/p>\n<p>### Data in Transit Protection<\/p>\n<p>All API communications must be encrypted using up-to-date TLS configurations. For private or highly sensitive APIs, the NCSC recommends Mutual TLS (mTLS) to enforce two-way authentication. Common pitfalls to avoid include using outdated TLS versions and weak cipher suites. <\/p>\n<p>### Input Validation<\/p>\n<p>Preventing injection attacks and logic flaws relies on validating inputs at multiple layers, from the user interface right through to the backend. This requires both syntactic (format-based) and semantic (contextual) checks. The NCSC encourages using schemas, allow lists, and centralized validation libraries to minimize the risk of inconsistent or incomplete validation. <\/p>\n<p>### DoS Attack Mitigation<\/p>\n<p>APIs need strong protection against high-volume and resource-exhaustion attacks. The NCSC suggests implementing throttling and rate-limiting to manage load and identify anomalies. Comprehensive logs are also essential to track spikes, helping differentiate between legitimate traffic surges and malicious abuse.<\/p>\n<p>### Logging and Monitoring<\/p>\n<p>Organizations must log key events, such as failed logins or permission changes, and continuously monitor for real-time anomalies like sudden traffic spikes or brute-force attempts. These logs must not include any sensitive data and be managed centrally to facilitate swift incident response. <\/p>\n<p>### Limiting Exposure<\/p>\n<p>Excessive endpoint exposure significantly increases attack surfaces. The NCSC advises decommissioning unused endpoints, locking down privileged routes, and blocking known malicious IP addresses. Ideally, APIs should only be exposed to trusted users or communities. Moreover, the NCSC recommends using API gateways to enforce consistent access controls and integrate with broader infrastructure defenses like Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS). <\/p>\n<p>## How Wallarm\u2019s Solutions Can Help<\/p>\n<p>**NCSC Guidance Area  **| **Wallarm Capability**  <br \/>&#8212;|&#8212;  <br \/>**Secure Development Practices**| **API Discovery****and Inventory:** Automatically detects and catalogs all internal and external APIs, including shadow, rogue, zombie, and deprecated endpoints.**API Security Testing in CI\/CD****:** Integrated with DevOps pipelines to perform pre-production scanning and misconfiguration detection. **Security Control Testing:** Verifies that deployed protections effectively block attacks.   <br \/>**Authentication and Authorization**| **Authentication Vulnerability Detection:** Identifies endpoints missing authentication or authorization layers.**API Specification Enforcement****and BOLA Protection:** Ensures endpoints accept only spec-conforming traffic and mitigates insecure object reference attacks. **API Abuse****and****Credential Stuffing****Detection:** Detects token replay, brute-force, and unauthorized access attempts.   <br \/>**Data in Transit Protection**| **Integration with TLS\/mTLS Deployments:** Wallarm processes encrypted traffic inline or out-of-band, compatible with private APIs deploying TLS or mTLS safeguards, preventing downgrade attacks or weak cipher usage.   <br \/>**Input Validation**| **Deep Syntax Parsing and Attack Detection:** Inspects payloads for SQLi, XSS, RCE, and path traversal at all request levels. **Specification Enforcement:** Blocks requests or responses that deviate from OpenAPI\/GraphQL schemas. **GraphQL Protections****:** Prevents nesting abuse, batching, and excessive data exposure.   <br \/>**DoS Mitigation**| **L7 DDoS Protection and Rate Limiting:** Detects and throttles layer-7 floods and implements configurable rate limits. **Behavioral Detection:** Identifies resource exhaustion and bot-driven DoS through anomaly correlation.   <br \/>**Logging and Monitoring**| **Complete Observability and Alerting:** Logs request-level metadata, redacts sensitive content, and supports session reconstruction and real-time anomaly alerts. **SIEM Integrations:** Pushes metadata to external systems like Splunk PagerDuty, and Slack.** **  <br \/>**Limiting Exposure  **| **Attack Surface Management****:** Discovery endpoints automatically, flags unused or deprecated ones. **API Specification Enforcement****:** Rejects unauthorized routes not defined in specs. **Gateway\/WAF Integration:** Functions in line with API gateways and WAF to enforce controls and block malicious IPs. **Bot\/Malicious IP Blocking:** Detects and blocks scrapers, bots, and known malicious sources.   <\/p>\n<p>## Find Out More About How Wallarm Can Help<\/p>\n<p>The NCSC\u2019s guidance offers a practical, well-rounded framework for securing APIs in today\u2019s threat landscape. But translating these principles into practice requires visibility, automation, and proactive defense. Wallarm makes that possible, combining continuous API discovery, runtime protection, and security testing in one unified platform. To see how it works in your environment, book a demo today.<\/p>\n<p>The post Understanding the NCSC\u2019s New API Security Guidance appeared first on Wallarm.\n<\/p><\/div>\n<p><a href=\"https:\/\/lab.wallarm.com\/understanding-ncscs-new-api-security-guidance\/\" target=\"_blank\" style=\"display: inline-block; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Update News Update Information Title Understanding the NCSC\u2019s New API Security Guidance Update ID WALLARMLAB:115616431306DBE4BE7F09E57B7F28A7 Type wallarmlab Published 2025-07-10T11:00:00 Last Updated 2025-07-10T11:00:00 Security Impact&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-7919","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Understanding the NCSC\u2019s New API Security Guidance - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7919\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding the NCSC\u2019s New API Security Guidance - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Understanding the NCSC\u2019s New API Security Guidance Update ID WALLARMLAB:115616431306DBE4BE7F09E57B7F28A7 Type wallarmlab Published 2025-07-10T11:00:00 Last Updated 2025-07-10T11:00:00 Security Impact...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7919\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-10T07:39:24+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Understanding the NCSC\u2019s New API Security Guidance\",\"datePublished\":\"2025-07-10T07:39:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919\"},\"wordCount\":919,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7919#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919\",\"name\":\"Understanding the NCSC\u2019s New API Security Guidance - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-10T07:39:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7919\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7919#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Understanding the NCSC\u2019s New API Security Guidance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understanding the NCSC\u2019s New API Security Guidance - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7919","og_locale":"en_US","og_type":"article","og_title":"Understanding the NCSC\u2019s New API Security Guidance - zero redgem","og_description":"Security Update News Update Information Title Understanding the NCSC\u2019s New API Security Guidance Update ID WALLARMLAB:115616431306DBE4BE7F09E57B7F28A7 Type wallarmlab Published 2025-07-10T11:00:00 Last Updated 2025-07-10T11:00:00 Security Impact...","og_url":"https:\/\/zero.redgem.net\/?p=7919","og_site_name":"zero redgem","article_published_time":"2025-07-10T07:39:24+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7919#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7919"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Understanding the NCSC\u2019s New API Security Guidance","datePublished":"2025-07-10T07:39:24+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7919"},"wordCount":919,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7919#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7919","url":"https:\/\/zero.redgem.net\/?p=7919","name":"Understanding the NCSC\u2019s New API Security Guidance - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-10T07:39:24+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7919#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7919"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7919#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Understanding the NCSC\u2019s New API Security Guidance"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7919"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7919\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}