Full Report
Check out the security controls that SANS Institute recommends for protecting your AI systems. Plus, the U.K. NCSC urges organizations to adopt newer API security techniques. In addition, CISA and other cyber agencies warn that attackers are using “fast flux” techniques to conceal their actions. And much more!Dive into five things that are top of mind for the week ending April 4.1 - SANS: Six critical controls for securing AI systemsHow do you protect the growing number of artificial intelligence (AI) systems your organization is gleefully deploying to improve business operations?That’s a critical question cybersecurity teams grapple with every day. In an effort to help bring clarity to this issue, SANS Institute this week published draft guidelines for AI system security.The “SANS Draft Critical AI Security Guidelines v1.1” document outlines six key security control categories for mitigating cyber risks to AI systems:Access controls methods, including:Least privilege, for ensuring that users, APIs and systems have the minimum-necessary access to AI systems, thus preventing them from having excessive permissionsZero trust, for vetting all interactions with AI modelsAPI monitoring, for flagging potentially malicious API usageProtections for AI operational and training data, including:Data integrity of AI modelsPrevention of tampering with AI prompts Deployment decisions, including:On-premises versus cloudIntegrated development environments (IDEs), where AI tools used to generate code can inadvertently expose secrets, such as API keys and algorithms Inference security for preventing malicious input attacks, including:Adoption of response policies for AI outputsPrompt filtering and validations for mitigating prompt injection attacksContinuous monitoring of AI models, including:Refusal of inappropriate queriesDetection of unauthorized model changesLogging of prompts and outputsGovernance, risk and compliance for complying with data protection and privacy regulations, including:Adoption of AI risk management frameworksMaintaining an AI bill of materials to track AI supply chain dependenciesUse of model registries to track AI model lifecycles“By prioritizing security and compliance, organizations can ensure their AI-driven innovations remain effective and safe in this complex, ever-evolving landscape,” the document reads.For more information about securing AI systems against cyberattacks, check out these Tenable resources:“Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“Who's Afraid of AI Risk in Cloud Environments?” (blog) “Tenable Cloud AI Risk Report 2025” (research report)“Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (blog)2 - NCSC: Obsolete API security is a gift for cyber attackersOrganizations must update their methods for securing their application programming interfaces (APIs), including by using stronger authentication.So said the U.K. National Cyber Security Centre (NCSC) this week in a new guidance document titled “Securing HTTP-based APIs,” published in the wake of several high-profile API breaches.“Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity,” reads a companion NCSC blog titled “New guidance on securing HTTP-based APIs.”Unfortunately, many organizations rely on outdated API-security practices, including:Use of basic authenticationLack of rate-limiting and user-throttling capabilitiesUnprotected endpointsCode-stored credentialsUse of URLs to transmit sensitive dataLax input validationUnencrypted API traffic via HTTPsWeak logging and monitoring NCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:Development practicesAuthentication and authorizationProtection of in-transit dataInput validationDenial-of-service attack mitigationLogging and monitoringExposure limitationFor example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.Another recommendation is to develop APIs’ applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.For more information about API security:“OWASP API Security Project” (OWASP)“13 API security best practices to protect your business” (TechTarget)“4 Main API Security Risks Organizations Need to Address” (Dark Reading)“API security maturity model to assess API security posture” (TechTarget)“99% of Organizations Report API-Related Security Issues” (Infosecurity Magazine)3 - Alert: Attackers using “fast flux” technique to hide their tracksCyber attackers are leveraging a technique called “fast flux” to evade detection and conceal their actions, so critical infrastructure organizations, internet service providers and governments must prioritize addressing this urgent threat.“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity,” reads a joint advisory issued this week by the governments of Australia, Canada, New Zealand and the U.S.“By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats,” adds the advisory, titled “Fast Flux: A National Security Threat.” A type of dynamic resolution technique, “fast flux” allows cyber criminals, nation-state actors and other cyber attackers to:Disguise the location of their servers by quickly their changing domain name system (DNS) records, such as their IP addressStand up robust and stealthy command-and-control (C2) operationsSet up malicious websites for phishing campaigns that are difficult to block and take downGovernments, critical infrastructure organizations, ISPs, cybersecurity service providers and protective DNS service providers should take “a multi-layered approach to detection and mitigation to reduce risk of compromise by fast flux-enabled threats,” reads an alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).“Fast flux” mitigation recommendations include:Block access to IP addresses and domains associated with malicious “fast flux” networks, and sinkhole these domains to controlled servers to analyze their traffic.Increase monitoring and logging of DNS and network traffic; and set up “fast flux” alert mechanisms.Share “fast flux” detection indicators, such as domains and IP addresses with partners and threat intelligence communities via, for example, the U.S.’s Automated Indicator Sharing and Australia’s Cyber Threat Intelligence Sharing Platform.Train employees on phishing detection and response, and adopt policies and procedures for dealing with phishing inciddents facilitated by “fast flux” networks.Agencies that co-authored this advisory include CISA, the U.S. Federal Bureau of Investation (FBI), the Australian Cyber Security Centre, the Canadian Centre for Cyber Security and New Zealand’s Nation Cyber Security Centre.For more information about the “fast flux” technique:“Dynamic Resolution: Fast Flux DNS” (MITRE)“Fast-flux botnet detection from network traffic” (IEEE)“Fast Flux DNS” (DevX)4 - Tenable polls webinar attendees on API securityAnd speaking of API security … During a recent webinar about our Tenable Web Application Scanning product, we polled attendees about their API security practices, including API discovery and protection. Check out what they said.(41 webinar attendees polled by Tenable, April 2025)(38 webinar attendees polled by Tenable, April 2025)To learn more about API security and about what’s new in Tenable Web Application Scanning, watch the webinar on demand.5 - U.S. House looks at cybersecurity of local, state governmentsA U.S. House of Representatives subcommittee held a hearing this week about the ability of U.S. state, local, tribal and territorial (SLTT) governments to address rapidly-changing cyber threats.Also discussed: The future of the “State and Local Cybersecurity Grant Program” (SLCGP), which was established in 2021 to help boost SLTT governments’ cybersecurity preparedness and which is set to expire in September.“Cybersecurity is a whole-of-society challenge, meaning the Federal government must continue to support and strengthen cybersecurity at the state and local levels to protect our nation’s networks and critical infrastructure,” said Rep. Andrew Garbarino (R-NY), Chairman of the House Subcommittee on Cybersecurity and Infrastructure Protection.Tenable Chief Security Officer Robert Huber was one of four experts who testified during the hearing, titled “Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program.” Huber, who is also Tenable’s Head of Research, and President of Tenable Public Sector, emphasized the importance of the SLCGP in strengthening cybersecurity and critical infrastructure, while recommending grant process improvements to increase participation.Check out a few minutes of Huber’s participation in the hearing: For more information about cybersecurity challenges of state and local governments:“Cybersecurity challenges faced by local governments in 2025” (American City & County)“Local governments need more cyber funding, report finds” (StateScoop)“State and Local Governments’ Cyber Resilience Efforts Face Constraints” (StateTech)
Analysis Summary
# Best Practices: Securing HTTP-Based APIs
## Overview
These practices address the security weaknesses common in HTTP-based APIs, focusing on recommendations from organizations like the U.K. National Cyber Security Centre (NCSC) to enhance security, agility, and productivity by moving beyond outdated approaches.
## Key Recommendations
### Immediate Actions
1. **Audit Credential Storage:** Immediately identify and eliminate all instances of code-stored credentials within API source code or configuration files.
2. **Enforce Encryption:** Verify that all API traffic utilizes HTTPS (TLS cryptography) and immediately disable any remaining HTTP endpoints transmitting sensitive data.
3. **Remove Sensitive Data from URLs:** Review and eliminate the use of URLs (query strings) for transmitting sensitive information; move data parameters to the request body.
4. **Disable Basic Authentication:** Eliminate the use of basic authentication methods across all APIs where possible.
### Short-term Improvements (1-3 months)
1. **Implement Strong Authentication:** Replace weak authentication methods with modern frameworks such as OAuth 2.0 or robust token-based authentication systems.
2. **Deploy Rate Limiting:** Implement user-throttling and rate-limiting capabilities on all customer-facing and internal API endpoints to mitigate DoS attacks.
3. **Validate All Input:** Establish strict, centralized input validation mechanisms to prevent injection and other data integrity issues across all API endpoints.
4. **Secure Endpoint Exposure:** Conduct an inventory of all exposed API endpoints and restrict access only to necessary consumers and services.
### Long-term Strategy (3+ months)
1. **Adopt Secure Development Lifecycle:** Integrate security reviews, including threat modeling, directly into the API design and development pipeline (Shift Left).
2. **Standardize Data Exchange Formats:** Mandate the use of secure, industry-standard formats like JSON for all data exchange operations.
3. **Enhance Logging and Monitoring:** Develop comprehensive logging strategies specifically tailored for APIs to track authentication failures, input validation errors, and anomalous traffic patterns.
4. **Develop API Security Maturity Model:** Establish a formal maturity model to continuously assess and improve the organization’s overall API security posture.
## Implementation Guidance
### For Small Organizations
* **Focus on Fundamentals:** Prioritize eliminating hardcoded secrets (Immediate Actions 1) and enforcing TLS/HTTPS encryption everywhere (Immediate Action 2).
* **Adopt Standard Frameworks:** For new APIs, immediately adopt a proven, manageable token-based authentication flow provided by existing cloud services or libraries, rather than building custom solutions.
### For Medium Organizations
* **Mandate Threat Modeling:** Formally require a threat modeling analysis during the design phase of any new API or significant update.
* **Deploy Centralized Enforcement:** Start the process of deploying a centralized mechanism (like an API Gateway) to enforce rate limiting and authentication standards consistently across multiple services.
### For Large Enterprises
* **Establish Governance:** Develop and publish clear internal standards mandating OAuth 2.0/token-based auth for all new services to ensure uniformity.
* **Implement Continuous Assessment:** Integrate API security scanning tools into CI/CD pipelines to automatically check for input validation errors and exposed secrets before deployment.
* **Inventory and Classify:** Build a comprehensive inventory of all internal and external APIs, classifying them by sensitivity to prioritize security enhancements based on potential business risk.
## Configuration Examples
| Security Control | Recommended Implementation Guidance |
| :--- | :--- |
| **Authentication** | Adopt OAuth 2.0 for grant types appropriate to the use case (e.g., Client Credentials for service-to-service, Authorization Code for user interaction). |
| **In-Transit Data** | Use TLS 1.2 or higher cryptography protocols exclusively. Configure server settings to reject insecure cipher suites. |
| **Data Format** | Standardize on JSON for structured data exchange messages between client/server or service/service. |
| **DoS Mitigation** | Configure a Web Application Firewall (WAF) or API Gateway to enforce a maximum of X requests per minute per unique client/IP for critical endpoints. |
## Compliance Alignment
* **NCSC Guidance:** Direct alignment with the recommendations from the NCSC's "Securing HTTP-based APIs."
* **OWASP API Security Top 10:** Practices directly counter the primary risks identified in the OWASP API Security Top 10 (e.g., BOLA, Broken Object Level Authorization, Excessive Data Exposure).
* **NIST SP 800-161r1:** Principles align with supply chain risk management and secure engineering practices concerning embedded credentials and validated components.
## Common Pitfalls to Avoid
* **Treating APIs as an Afterthought:** Do not wait for deployment to begin security testing; security must be integral to the API design phase (threat modeling).
* **Over-reliance on IP Allow-listing:** Do not use client IP address checks as a primary measure for authentication or authorization.
* **Assuming HTTPS is Enough:** Ensure that security hardens go beyond just using HTTPS; strong authentication, validation, and authorization are equally essential.
* **Ignoring Logging Gaps:** Failing to log detailed transaction data that can trace authentication attempts and data exposure risks.
## Resources
* **NCSC Guidance:** NCSC document titled "Securing HTTP-based APIs" (Check NCSC website for the direct link).
* **OWASP:** OWASP API Security Project (Directly address API-specific threats).
* **API Security Maturity Model:** Frameworks found via TechTarget concerning API security posture assessment.