ALL YOU’LL NEED TO KNOW ON API SECURITY: 5 Industry Best Practice Solutions
APIs are an important part of digital business delivery because they connect mobile apps, and the Internet of Things, and provide the fabric that connects internal business operations. Given the pervasiveness and importance of APIs, it makes sense to guarantee that they are secure — after all, we wouldn’t want hackers to use an API to gain access to data stored in your mobile app, devices in your home, or processes that may cripple your organization if they were hacked.
How the Restful API’s work
A REST API works essentially the same way that any website does. A call is made from a client to a server, and data is received back over the HTTP protocol. Facebook’s Graph API is an easy way to show the similarities between a REST API call and the loading of a webpage. Say someone wanted to pull up the Facebook page for YouTube, for example. That person would enter in the URL as normal, www.facebook.com/youtube
Why Secure an API?
This has to be a no-brainer, right?
We need to secure endpoints because, well, that’s what the business depends on.
While that’s a strong enough argument in itself, I want to broaden the viewpoint a little and highlight other related, but equally deadly, consequences.
If attackers find sensitive data at your cost these are the following implications your business may face the following:
- Compliance issues – Not securing your APIs properly can land you in serious trouble, depending on which geographies or industries you’re dealing with. Clients’ personal information may be exposed depending on the industry you are serving hence this may lead to further implications.
- Business Loss – If someone succeeds in messing with your API endpoints, it will bring everything to a screeching halt. Security breaches can also take a lot of time to recover from, which translates to suicide in business terms. While it’s true that most businesses probably won’t be affected by an hour or two of downtime, for some, it’s not permissible.
- Competitor’s gains – So let’s say there was a breach, but there was no actual loss. However, your competitors will use the incident to drum up their own API and assert how much more secure theirs is (even if it’s not!).
Types of Attacks common against web APIs
occurs when an attacker is able to insert malicious code or commands into a program, usually where ordinary user input (such as a username or password) is expected. SQL injection is a specific type of injection attack, enabling an attacker to gain control of an SQL database.
Distributed denial-of-service (DDoS)
attacks make a network, system, or website unavailable to intended users, typically by flooding it with more traffic than it can handle. API endpoints are among the growing list of DDoS targets.
attacks occur when an attacker intercepts traffic between two communicating systems and impersonates each other, acting as an invisible proxy between the two. With APIs, MitM attacks can occur between the client (app) and the API, or between the API and its endpoint.v
Here are API services that have been Hacked
Snapchat – The Snapchat API hack made headlines in 2014. Their API allows you to look up and see if another user has an account on Snapchat, enabling users to locate phone contacts, add them to their friend’s list and communicate with them from within the application. With inadequate security in place, it was possible to write a script that checked every possible phone number to determine if it existed on Snapchat. Thus, it was possible to retrieve phone numbers and other personal information about Snapchat users. This exposed weren’t, for example, API throttling & quotas in place.
The International Revenue Service – the IRS has an API called the Get Transcripts API, allowing the procurement of tax transcripts. Again, the API was not protected against certain unwanted user behaviours and as a result, information was obtainable through this API. This IRS data leak impacted upwards of 100,000 citizens. When you produce an API, it’s important to ensure that there are API policies in place to guarantee that the API is being used in the way you want it to be used, so it doesn’t end up being the subject of a similar breach.
Tips to protect your Endpoints
1. Implement proper authorization and authentication –
Typically, APIs authenticate with a password, multi-factor authentication, and/or an authentication token, which is a string of characters that serves as a unique identifier for a user. To authenticate a request with a token, an API matches the token sent in the request with one stored in its database. Tokens help an organization keep track of those trusted with its resources.
After verifying the identity of the user sending the request, an API needs a way to grant access to only the authorized resources and methods. For example, a user might be approved to access the API, but if they’re not allowed to add information to the application’s database via the POST method, any request to do so should be rejected. Authorization information can also be contained within a request as a token.
2. Encrypt all requests and responses.
To prevent MITM attacks, any data transfer from the user to the API server or vice versa must be properly encrypted. This way, any intercepted requests or responses are useless to the intruder without the right decryption method.
Since REST APIs use HTTP, encryption can be achieved by using the Transport Layer Security (TLS) protocol or its previous iteration, the Secure Sockets Layer (SSL) protocol. These protocols supply the S in “HTTPS” (“S” meaning “secure”) and are the standard for encrypting web pages and REST API communications. Some CMS platforms will provide a free SSL that will encrypt your pages from day one. But if your platform does not offer an SSL like WordPress, you need to add one using an API or plugin.
TLS/SSL only encrypts data when that data is being transferred. It doesn’t encrypt data sitting behind your API, which is why sensitive data should also be encrypted in the database layer as well.
3. Remove information that’s not meant to be shared
Because APIs are essentially a developer’s tool, they often contain keys, passwords, and other information that should be removed before they’re made publicly available. But sometimes this step is overlooked. Organizations should incorporate scanning tools into their DevSecOps processes to limit accidental exposure of secret information.
4. Validate inputs & rate limit
Never pass input from an API through to the endpoint without validating it first. setting a threshold above which subsequent requests will be rejected (for example, 10,000 requests per day per account) can prevent denial-of-service attacks.
5. Web Application Firewalls
Along with an SSL, consider integrating a web application firewall (WAF) that will monitor web traffic to identify and prevent DDoS attacks and code injections. Web application firewalls protect from attacks including SQL injection, cross-site-scripting (XSS) and cookie poisoning and are an essential component of your defensive strategy.
REST APIs have lowered the friction that developers used to face when building applications that used remote services. As a de facto approach to sharing and consuming services, they’ve opened up a world of opportunities for startups to build powerful new online services with a minimal upfront cost. But whenever you reduce friction, you introduce security dangers. Use APIs to their fullest extent–just be sure you tick all the security boxes along the way