With today’s Web, massive data loads are accessed through APIs. In fact, according to programmableweb.com, there are now more than 10,000 publicly available APIs. Given the foundational role that APIs now play in today’s infrastructure, keeping APIs secure is absolutely critical. In this article, we explain five best practices that organizations can follow to help ensure API security.
Authentication and Authorization for API Security
Authentication and authorization are the first line of defense for APIs. Authentication refers validating a user’s identity while authorization occurs, after the identity is authenticated by the system. Authorization entails defining access and access levels for data, files, information, and so on.
What authentication and authorization mean specifically in the context of API security is that your API should have a means of identifying the user or application, and then determine if the user has the appropriate level of access to call the endpoint. API keys appended to every request should be used to identify and authorize users.
API data should be protected from snooping (and other unauthorized access) via encryption. Depending on the specific API protocol you’re working with and how it is implemented, you can use one of the following methods for API encryption:
- HTTPs: Should be implemented to protect the request in transit, so that the messages are secured and encoded with TLS.
- JSON WEB TOKEN: For JSON response data, JSON Web Token (JWT) is an open standard that defines ways to securely transmit information as a JSON object between parties. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
- PASSWORD HASH: This is necessary to protect the system (or minimize the damage), even with a compromise due to a hacking attempt. Hashing algorithms include MD5, SHA, PBKDF2, and so on.
- Application Layer Security
Attacks against API endpoints are one common means of compromising applications via APIs. The defense against this type of attack is implementing security at the application level, using techniques such as the following:
- Cross-site scripting – Malicious scripts are injected into one of the request parameters.
- Code injection – Inject valid code to services, such as SQL (SQL injection) or XQuery, to open the interface to user control
- Business logic –Allows the attacker to circumvent the business rules
- Parameter pollution attacks – Exploit the data sent in the API request by modifying the parameters of the API request
- Input Validation — Apply strict user input validation, including:
- Restricting, where possible, parameter values to a whitelist of expected values
- Facilitating a whitelist (have strong typing of input value)
- Validating posted structures data against a formal schema language to restrict the content and structure.
This is not an exhaustive list; any defenses you can implement within the application to restrict unauthorized access to API endpoints will help to improve your overall API security.
Whitelisting is a powerful approach for restricting access to resources by default, and opening access only to specific trusted users.
In the context of API whitelisting, enterprise internal APIs should implement API traffic at the IP address level, and there should be a known list of devices, servers, networks, and client IP addresses that are accepted. Depending on the scope of the network, this list will vary in size.
Last but not least, API should always be logged. Logs can help you to resolve API security issues, as well as monitor activity and discover any patterns or excessive usage that could signal an intrusion or intrusion attempt.
When configuring API logs, it’s a good practice to return simple error objects with the conventional HTTP status code, and to keep required error messages to a minimum. This will improve error handling and protect API implementation details from an attacker.
Conclusion and Further Reading
The API security practices described above will do much to help keep your APIs and the resources that they control secure. However, this is by no means a complete guide to API security, as a general-purpose API security resource, the OWASP API Security Project is second to none.