A Quick Guide to API Security

This is a guest author post.

Source: Pixabay

What Is an API?

An application program interface (API) enables structured communication between two software programs. An API determines how developers should submit requests to an application or operating system, and how data should be exposed across multiple channels and contexts. 

APIs enable organizations to maintain security and control over their resources while providing access to more users. They have become a critical component of the modern data economy.

Here are examples of common types of APIs:

  • Login APIs—enable users to log into applications or websites. For example, the Auth0 Universal Login API allows individuals to access websites using the login details from their Google, Facebook or Twitter profiles, so they don’t have to set up a new profile for every new service. 
  • Video APIs—facilitate the creation of collaborative video experiences. Users can take advantage of these APIs to open up new marketing channels and opportunities for revenue, without having to handle the complex work involved in uploading, hosting and delivering video content.
  • Payment APIs—enable third-party processing of payments on applications and websites. Users can buy products online while protecting the confidentiality of their payment details.
  • Comparison APIs—provides access to data aggregated from multiple sites offering similar services. For example, travel booking comparisons allow consumers to filter through thousands of flights and hotel packages to find the cheapest options available for each destination and date. APIs enable the autonomous exchange of requests and data, minimizing the time it takes to search for available services.

API Specifications and Protocols

API specifications help you standardize the exchange of data between web services. You can use API standardization to enable systems to communicate with each other, regardless of the programming language, operating system, or technology used to create and operate these systems.

Remote Procedure Call (RPC)

RPC protocols let you specify the interactions between client-server based applications. In this model, the client (one program) requests functionality or data from the server (another program). The client can be located in another network or a computer and the server sends the required response. There are several ways to implement RPC, including SOAP.

Service Object Access Protocol (SOAP)

The SOAP protocol, which was developed by Microsoft, enables the exchange of structured data in a distributed, decentralized environment. This lightweight protocol contains syntax rules that define how requests and responses are sent by web applications. SOAP-compliant APIs enable XML messaging between applications across HTTP or SMTP.

Representational State Transfer (REST)

REST makes data available as a resource. In this model, each resource is represented as a unique URL. To request a resource, developers only need to provide the relevant URL. This is why REST is often considered simpler to work with. SOAR, on the other hand, requires developers to write a lot of code for each task and follow the XML structure for each message sent. 

What is API Security?

API security, a growing field in corporate information security, involves protecting the integrity of the APIs you use or own. The main security concern regarding APIs is that they are usually publicly available. This means they are well documented and easy to reverse-engineer.

APIs that can be accessed by anyone are particularly vulnerable to denial-of-service (DoS) attacks, making them a popular target for malicious actors.

An attack on an API may attempt to breach sensitive data or cause a disruption to the functioning and availability of an application. For example an attacker might bypass security measures on a client-side application by directly attacking the API of the application. API security emphasizes this layer of the application and apprehends the possibility of a malicious actor interacting directly with the API.

In its report providing guidelines for implementing an API security strategy, Gartner expects that API exploits will become the most common attack vector by 2022. Gartner’s recommendation for protecting yourself against this threat is to adopt a “continuous” API security approach throughout the development and delivery lifecycle, and building security into your APIs from early development stages. 

The importance of APIs for the provision of digital services, combined with their access to sensitive data, means that API security is indispensable. You should implement a dedicated approach to securing your APIs and maintaining compliance.

5 API Security Best Practices

1. Ensure APIs Don’t Expose Too Much Information

Your API should not divulge too much information about its normal operations, as this can be used to plan an attack. A common example is if you have a user who authenticates with a username and password. If the user enters the correct username but the password is incorrect, do not disclose that information in the response.

For example, do not provide the following response: Status code: 401, Reason: WRONG_PASSWORD

This gives the attacker a clue that the username is correct, and the attacker focuses on finding the correct password. Prefer a response like this: Status code: 401, Reason: WRONG_USERNAME_OR_PASSWORD

2. Secure APIs with Endpoint Detection and Response (EDR)

The term Endpoint Detection and Response (EDR) is a set of practices and tools designed to identify endpoint security threats and prevent attacks, using automated security measures.

There are many simple EDR security practices that can be applied to API endpoints. Here are the most common methods. All of these features can be implemented using endpoint security solutions provided by many security vendors:

  • HTTPS communication monitoring
  • API call monitoring
  • User authentication event monitoring
  • IP address filtering
  • Using JSON Web Token (JWT)
  • Input validation

3. Use Modern Authentication Frameworks

OAuth2 is an authorization access delegation framework that allows you to build authentication systems. For example, OpenIDConnect, UMA 1.0 and 2.0, and IndieAuth use OAuth2 as the underlying architecture. The advantages of using OAuth2 include:

  • Simplifies API access authorization
  • Protects credentials of the owner account
  • The OAuth2 token restricts access to specific resources within a specific time period instead of giving the owner unlimited access to all resources.

Treat OAuth2 as a framework for authentication, rather than an out-of-the-box system for user authentication. OpenID Connect is such a system, which is based on OAuth2 and provides the added benefit of identifying and verifying users requesting access, also known as federated authentication.

Whatever authentication technique you use, you must first authenticate the user, and then selectively grant access based on the user’s role and the features that actually need to be accessed.

4. Make Your API RESTful

REST API design is an effective way to reduce overhead and complexity and make your application easier to scale. With a REST framework, your design follows a set of implementation guidelines that can increase API security.

For example, in a RESTful API you can whitelist certain HTTP methods and reject inputs that do not conform to the API contract. You can design your API so it follows a fixed set of HTTP return codes, not text responses that may accidentally reveal sensitive information.

5. Enable Auditing and Logging

Auditing is important for all APIs. Make sure to protect the API against log injection attacks, to protect the integrity of logs and prevent attackers from tampering with them. Enable comprehensive logging for all aspects of the API, to detect and prevent attacks and also enhance your ability to troubleshoot the API.

Conclusion

In this article I discussed the basics of APIs, the three common technical variants – RPC, SOAP, and REST – and five best practices that can help you secure your APIs:

  • Don’t expose too much information – ensure that APIs return minimal error messages and outputs to avoid exposing internals to an attacker.
  • Secure APIs with EDR – secure the server hosting your API endpoints using modern endpoints security technology.
  • Use authentication frameworks like OAuth – don’t build authentication yourself, rely on battle tested frameworks that have security built in.
  • Make APIs RESTful – REST APIs not only reduce overhead but also have several security benefits.
  • Enable auditing and logging – any production API should log usage to identify anomalous and potentially malicious events.

I hope this will be of help as you develop the next generation of useful, secure APIs.

=== END ===

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.