10 essential best practices for your API security
Last updated: July 03, 2020
As the world around us becomes more and more connected via The Internet connections, millions of people are affected by insecure APIs that continue to be an integral part of Web and it doesn’t appear to be slowing down anytime soon, especially with the rise of IoT. Here we look at the top 10 practices for API security
What is an API?
Application programming interface (API) is an intermediate software that is available through the web and allows your applications and websites to communicate with one another. It’s more like an agent that when you call it, it finishes its job and returns the results, but it demands a secret word to identify friends from strangers. In the term of API programming, this secret word is known as API Token, a sequence of encrypted characters that is known only for the serving API and its client. In addition, to ensure that the API key is not sniffed middle the way, APIs need a secure method to receive requests from clients and share the extracted data with them. That’s where API security comes into the equation.
SOAP vs. REST APIs
SOAP and REST are two popular methods that developers use to implement APIs.
SOAP (Simple Object Access Protocol):
SOAP is an XML based protocol for transferring data between computers. It uses XML Encryption, XML Signature, and SAML tokens to make transactions secure. SOAP is considered as one of the most secure API protocols, but this comes at a cost.
Exchanging data using SOAP requires more overhead compared to working with other API implementations, such as REST. So,it’s best suited for organizations requiring comprehensive security measures.
REST (Representational State Transfer):
REST is stateless, meaning that neither the client nor the server needs to retain any data to satisfy the requests. This adds to the security level of this API implementation method too. Because it uses a text-based (JSON) method to send and receive data, unlike SOAP, REST doesn’t impose an overload to the server for repackaging of data.
Why is API Security Important?
Today, millions of users connected to the Internet make use of APIs to get services and products they want even without being aware of that, and businesses heavily rely on APIs to reach their customers or transfer data through the Internet.
Hacked, exposed and breached APIs can result in a dramatic loss of credibility for online business and worth, will expose your sensitive medical, financial, and personal data for public consumption.
Every time you hear that a company is hacked you could find the trace of an API having security voluntaries. The reason is that, according to a survey, most API developers (more than 65%) don’t invest enough time and money to make their APIs as secure as possible. With such a great number of insecure APIs around the world, there have been never a better time to focus on API security threats.
What are the main API security threats?
APIs are meant to be secure by nature, but they are exposed to threats more than any other online tools. As Traditional vulnerabilities like SQLi, CSRF, and XSS are becoming less common in APIs, at the same time, the vulnerabilities specific to APIs are increasing, which the developers might be unaware of.
That compelled the Open Source Web Application Security Project (OWASP) to publish a list of the Top 10 API Security Threads (PDF) which is aimed at helping organizations better navigate how to protect their data, applications, employees, and customers. At top of the list comes Broken object-level authorization followed by Broken authentication and Excessive data exposure.
The OWASP API Security Top 10
1. Broken object-level authorization
2. Broken authentication
3. Excessive data exposure
4. Lack of resources and rate-limiting
5. Broken function-level authorization
6. Mass assignment
7. Security misconfiguration
9. Improper assets management
10. Insufficient logging and monitoring
What are the Best API Security Practices?
1. Treat Your API Gateway As a Hacker
Not all APIs are made equal, and not all vulnerabilities will be preventable. As a rule of thumb, always assume that everyone wants your data and treat your API from the eyes of a hacker. If you prepare for the worst-case scenario, anything else that might go wrong will be handled with ease.
2. Always use HTTPS and Encryption
Are you still using HTTP? Then you should prepare for bad days. Always force encryption before you transfer data and when the data is in rest. SSL is extensively used to encrypt HTTP messages across the Internet. However, it provides the protection for data sent and received on the transport layer, Other layers require solutions that are signature base. For example, you can use one way or a better two-way TSL encryption to cipher all exchanges between your API and your partners. Be an internal or external communication, you should never nothing should be in the clear for unauthorized people.
3. Focus on Authorization and Authentication
Authentication is used to reliably determine the identity of an end-user, whereas, Authorization is used to determine what resources the identified user has access to. On the web, the basic authentication is implemented by a form asking users to enter username and password. Once the user authenticated, you have access to the requested resources. For APIs, it’s common to use some kind of access token. The best practice is to drop the basic authorization for more secure methods or at least reinforce the process with some added security such as using two-stage authentications, hardware keys, location /activity data managed by AI.
4. Use third-Party Authentication
The best practice is to delegate all your responsibilities of your APIs Authorization and authentication to a third-party API. For example, APIs can rely on services such as OAuth to manage authorizations using a third-party server. Because a consumer doesn’t give their credentials but instead gives a token provided by the third-party server, it protects the consumer from disclosing their credential, and API only to authorize the token obtained from the service provider.
5. Share as Little as Possible
As a rule, avoid exposing sensitive info as much as possible especially in the error messages. To avoid data leakage, you can customize your APIs to show predefined messages. To protect your customers don’t store user and password in JSONS Web Tokens (JWTS) or cookies. Despite the illusion of being secure, they can be decoded easily.
6. Monitor, Log and Audit Errors on the Server
To prepare for the rainy days, you should log and audit relevant information on the server and keep the log history as long as possible. This helps you get out of the situation in the case of error and identify the Vulnerabilities of your API.
7. Limit Requests and put limits on Resources
If you want to prevent strangers from consuming your resources, you should first put restrictions on yourself. Limit the number of messages per second according to your server capacity. To prevent abuse, you should also restrict access by API and by the user. Throttling limits and quota are crucial to stop attacks flooding your system with multiple requests(DDOS attack)
8. Protect behind an API Firewalling
If you want to protect yourself from intruders you should build the wall. That applied to APIs too. You should establish at least two layers firewall to prevent any HTTP based attack (such as SQL injection) as well as an advanced attack mechanism.
9. Validate and sanitize input
You should check every input you get from the user. While it helps prevent mistakes and improve the user experience, but your API needs to also validate and sanitize all input before acting on it. Sanitization is just like viruses on our hand by alcohol, your API should reject any data that sounds unsafe, such as HTML or SQL.
10. Implement an API Management Solution (Gateway)
As the programmers say: “Reinventing the wheel is not the best option”. Why you invest time and money to implement all the above mechanisms while you could get it with less effort and at a lower cost. Go for a professional API Management system(gateway) and it will your money, time, and resources even when you are away. When it comes to Web Application Security there is no silver bullet, but you can protect your APIs from malicious activities as much as possible by understanding and implementing our essential practices for API security.
Also read these suggested articles
Last updated: Feb 22, 2020
Top 5 Payment Systems for your Websites and Apps
Last updated: Feb 07, 2020