Enhancing API security: Implementing NCSC Principles with Becrypt APP-XD
In today’s interconnected digital landscape, Application Programming Interfaces (APIs) have become the backbone of modern software systems, but present significant security risks. Attackers actively exploit API weaknesses. To address this, the UK National Cyber Security Centre (NCSC) outlines seven critical principles for securing HTTP-based APIs. Becrypt’s high-assurance cybersecurity solutions, particularly Becrypt APP-XD hardware backed API Gateway, provides a robust framework for implementing these principles, especially in high-threat environments like Critical National Infrastructure (CNI).
Securing APIs in high-threat environments requires going beyond standard solutions. The UK NCSC’s seven principles provide a vital framework. Becrypt’s hardware-enforced Becrypt APP-XD API Gateway directly addresses these principles: enabling secure cross-domain API development and traffic, enforcing strong hardware backed authentication and input validation, protecting data-in-transit (including mTLS), mitigating DoS attacks, enabling cross-domain logging, and minimising exposure. It provides the high-assurance protection needed where compromise is unacceptable.
Becrypt: Aligning with NCSC Principles
Becrypt, a leader in high-assurance cybersecurity solutions, offers a comprehensive product portfolio that aligns perfectly with these principles, providing organisations with the tools to build and maintain secure API ecosystems.
This article explores how Becrypt’s innovative APP-XD hardware backed API Gateway solution and associated technologies can help organisations address each of the NCSC’s seven security principles when applied to higher threat environments, from secure development practices to limiting exposure, ensuring robust protection for your API infrastructure.
API gateways act as intermediaries between the endpoints and backend services, providing a centralised entry point for managing and securing API traffic. This approach can ensure a consistent implementation of security features such as schema validation, authentication and authorisation, content validation, and centralised logging.
Secure Development Practices
The NCSC emphasise the importance of establishing the context before designing the system, an activity that will inform the threat modelling process, which is a key part of the “Secure by Design” system development principles. If this process identifies that the threat and risk profiles are significant, you may want to consider implementing a strong HW based technical control that can enforce the verification of the API calls between systems.
Integrating the APP-XD gateway is surprisingly easy for an API developer thanks to the APP-XD School software solution. This tool provides a dedicated learning environment that, by mimicking an application client, allows developers to experiment and quickly familiarise themselves with APP-XD using standard HTTP requests from which output can be generated that can be integrated into standard tools such as OpenAPI. APP-XD also uses standard cryptographic functions like TLS and provides a straightforward path to migrate developed applications directly from the SW dev platform to the HW appliance.
For development teams working within high-assurance environments on high-threat solutions, Becrypt OS security-focused enterprise operating system, can help ensure that security and integrity controls are implemented during the development process. This is particularly valuable when developing APIs for CNI sectors, where compromise could have severe consequences.
API Authentication and Authorisation
Robust authentication and authorisation mechanisms are critical for API security, especially when APIs bridge different security domains. However, traditional cross domain solutions simply cannot support modern authentication methods.
Becrypt’s high assurance cross domain solution, Becrypt APP-XD, provides a secure foundation for API development environments. As the first API centric cross domain solution, Becrypt APP-XD enables assured connectivity between secure and high-risk networks while maintaining strict security controls. This is particularly valuable when developing APIs that need to interact across security domains.
Becrypt’s APP-XD facilitates secure connections across trust domains. It provides hardware-enforced authentication and authorisation for API traffic moving between networks of different classification levels. Unlike conventional firewalls or API gateways, Becrypt APP-XD uses hardware modules (FPGAs) to maintain cryptographic separation, preventing credential exposures even if the hosting platform is compromised.
The solution supports modern authentication standards like OAuth 2.0 while adding hardware-level assurance that credentials can’t be extracted and signatures can be exchanged across the device. This addresses the NCSC’s concerns about credential storage and replay attacks by ensuring cryptographic operations occur in tamper-resistant hardware.
Data in Transit Protection
Protecting API data in transit goes beyond basic TLS implementation, especially for high-value targets. The NCSC recommends considering mutual TLS (mTLS) for sensitive APIs, which presents key management challenges at scale.
Becrypt’s APP-XD Cross Domain Solution addresses this through hardware-enforced TLS termination within APP-XD’s trusted FPGA module. This approach ensures that API traffic remains protected within the hardware security boundary even if an attacker gains access to the network infrastructure. Additionally, you can define precisely which services at the backend (High-Side) the appliance can connect to and configure mTLS connections to ensure that the data is always protected when in transit between the client and server.
Input Validation
The NCSC guidance emphasises that comprehensive input validation should be implemented using both syntactic and semantic validation methods as part of a defence-in-depth approach across multiple layers of the API infrastructure.
Becrypt APP-XD’s API-centric architecture uniquely addresses both validation methodologies to apply strict validation rules to implemented at the cross-domain boundary, providing an additional layer of protection beyond application-level validation. The APP-XD FPGA applies strict syntactic validation of the XML message structures. Then the APP-XD application policy applies the semantic validation function using XSDs (XML Schema Definitions) to verify both the structure and minimum and maximum values of each dataset traversing the appliance.
When integrated with solutions like Glasswall CDR, it can also validate complex document structures and content at the network boundary before they reach application servers.
The hardware-enforced nature of these validation mechanisms means they can’t be bypassed through software vulnerabilities, addressing sophisticated attacks that might circumvent application-level controls.
DoS Attack Mitigation
To protect APIs from Denial of Service (DoS) attacks, the NCSC advises implementing both network-level protections and resilient architecture design.
Becrypt APP-XD will simply drop and ignore unexpected connection attempts. For well-crafted API-based DoS attacks the systems traffic inspection and control capabilities can be configured to implement rate limiting policies. The solution is designed to handle high traffic volumes while maintaining security, making it well-suited for protecting APIs from resource exhaustion attacks.
Logging and Monitoring
To effectively monitor and protect an organisation’s security environment, the NCSC advises that both comprehensive logging and the ability to correlate events across security domains are needed.
Becrypt APP-XD is uniquely capable of supporting this recommendation. Events generated on the appliance itself can be sent to a SIEM system for detailed analysis. Additionally, APP-XD supports the ability to send Syslog messages across the appliance where they are verified as correctly formed messages, enabling the ability to correlate events across security domains. This implementation supports RFC5424 messages and the following protocols.
- UDP
- TCP
- TCP/TLS
- RELP without TLS
- RELP/TLS
Limiting Exposure
The NCSC advises that limiting exposure to APIs where possible and implementing effective management of endpoint access to the APIs. They acknowledge that reducing API attack surfaces is particularly challenging when services need to span multiple security domains. The NCSC also advises the use of an API gateway when deploying at scale in order to provide a consistent approach to security.
For organisation hosting very sensitive APIs for closed communities (such as CNI sectors) solution architects could consider using the Becrypt OS as a Privileged Access Workstation for protecting access and administration of the APIs as part of a closed network.
Becrypt’s APP-XD and associated Cross Domain solutions are specifically designed to meet the stringent requirements of such environments. These solutions include advanced capabilities for limiting exposure through methods like mTLS and IP allow listing. These capabilities allow organisations to implement the NCSC’s principles of least exposure while still enabling necessary functionality across security boundaries.
Conclusion: A strong PAW strategy with Becrypt
Securing HTTP-based APIs in high-threat environments requires going beyond standard commercial security products. The NCSC’s seven principles provide a comprehensive framework for API security, but implementing them in critical infrastructure and government contexts often demands specialised high-assurance solutions.
By combining hardware-enforced security boundaries with modern API security practices, solutions like those discussed can address sophisticated threats that bypass conventional protections. The key is integrating these capabilities throughout the API lifecycle – from secure development environments to protected runtime execution – while maintaining the flexibility required for modern digital services.
Organisations should assess their specific threat models and security requirements when selecting API protection mechanisms, particularly when operating in elevated threat environments where standard solutions may prove inadequate.
Find out more:
Discover how Becrypt APP-XD can enhance your API security infrastructure.
