APIs continue to play an integral role in the software development industry, paving the way for better software integration and allowing for a more seamless user experience, and transfer of data, vital or otherwise, from one server to another, or from a server to an end-user.
The rapid adoption of APIs, particularly over the past 12 months, has led to an overall increase in recorded API traffic. Because APIs are sharing increasingly valuable data, threat actors are now looking to use APIs as an attack vector more than ever. According to a research report, API attack traffic has grown by 117% over the past 12 months. This rapid increase in malicious traffic has subsequently led to a stricter focus on API security by security professionals.
What is API Security?
API security can be described as the entirety of the processes involved in the protection of APIs against misuse and cyber attacks. Over the past several years, the industry has developed a set of best practices to ensure the security of APIs.
It should be noted that API security is implemented differently depending on how much value an organization attaches to an API and the type of data being transferred through that API.
Nevertheless, the practices below represent the very best for effective API security.
API Security Best Practices
1. Authentication
Authentication simply means being able to confirm that a user or a machine is who they claim to be. Authentication is a crucial aspect of API security because it allows organizations to ensure the right user has access to the right data. API authentication can be done via; HTTP basic authentication, API authentication key configuration, IdP server tokens, SAML federated identity, API access tokens, and OAuth with OpenID.
2. Encryption
Encryption can be defined as the process of concealing information by translating it into a code, invariably altering how it looks to the average reader. Encryption helps maintain confidentiality. API encryption can be done using TLS, either using a standard one-way TLS or a mutual two-way TLS.
3. OAuth2 using OpenID Connect
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. As an added security feature, it is often normal, by industry security standards, for organizations to delegate the authorization and/or authentication of their APIs to third-party IdPs (Identity Providers). To further bolster the security, an additional identity layer can be added in the form of Open Id Connect, a standard that extends OAuth2 with ID tokens.
4. Audit, log, and version APIs
Organizations should have a dedicated team to monitor API traffic while also ensuring there is an effective Troubleshooting process in place. This puts in place a measure to mitigate errors. Also, data on the server should be logged, audited, and stored as long as they are deemed relevant. The logged and audited data can easily turn into relevant resources for debugging in a situation where an incident occurs.
API versions should also be documented, notably in the path of the API. This keeps tabs on what versions of an API are still being used and can retire older versions when the need arises.
5. API gateway management
Essentially, an API gateway is a tool that sits between a client and the backend services. API gateways serve as reverse proxies that accept API calls, aggregate the required services, and return appropriate responses. API gateways are time and effort effective, making it easier for organizations to monitor and control access to APIs. API gateways also make it easier for data visualization through creative graphic designs, a feature of most API gateway and management solutions.
6. Firewalls
Organizations should ensure their APIs are all behind firewalls; this adds an extra layer of security and makes it more difficult for attackers to exploit API vulnerabilities. Firewalls for APIs should be configured in two layers; the first is a DMZ (demilitarized zone) with an API firewall that performs basic security mechanisms like checking the message size, SQL injections, and HTTP security, potentially blocking intruders early. Afterward, the data is transferred to a LAN with more advanced security features.
7. OWASP API Top 10
Organizations should ensure that they are up to date with the OWASP top 10, about vulnerabilities. The OWASP API Top 10 is a list of the top ten vulnerabilities, ranked according to their impact and exploitability. Organizations need to ensure that they are secured against all of the ten OWASP vulnerabilities.
8. Secure your infrastructure
Effective API security goes beyond securing just APIs. Organizations should ensure that the rest of their infrastructure is up to date. This includes networks, servers, and software, as well as third-party service providers.
9. Data validation
Organizations should ensure that all incoming data are validated before being accepted, notably data that is unexpected, large, or from an unknown source. XML and JSON schema validation can be used to check data parameters to ensure they are not malicious.
10. API runtime protection
API runtime protection involves securing APIs while they are running and managing requests during operational periods. API runtime protection helps establish a behavioural baseline for your API traffic; basically ‘understanding’ the critical aspects of your API attributes and using this knowledge to filter API traffic and subsequently protect your APIs against external threats and even low and slow attacks.
A Healthy API Security Policy
As APIs continue to evolve, and their usage becomes more widespread by organizations, so do attempts by threat actors to exploit vulnerabilities and gain access to sensitive data. Having a healthy API security policy is important for organizations to ensure that APIs remain safe and secure while allowing for the seamless transfer of data. Adopting the aforementioned best practices would help protect your organization’s APIs, alongside other practices such as conducting regular security tests, keeping API data as private as possible, and making use of cyber security experts.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.