API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.
APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?
Here are the simple tips for API security, let’s have a look!
Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).
Just be cryptic. For internal or external correspondence nothing should be in the open.
You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).
Using the new versions of TLS to block the use of weaker cipher suites.
Monitoring: Audit, Log, and Version
In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.
Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.
Call Security Experts
It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company.
Share as Little as Possible
For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces.
OAuth & OpenID Connect
Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.
OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.
OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.
System Protection with Throttling and Quotas
Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.
You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.
Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).
OWASP top 10
Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.
Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection.
Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).
Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:
- DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
- The second level is LAN, with advanced data information protection mechanisms.
Set a Budget for Security Testing
Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.
About the author: Waqas Baig
Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here firstname.lastname@example.org
(SecurityAffairs – APT, hacking)