How to Secure An API - What Is Important To Know?

APIs or the Application Programming Interfaces benefit app developers by simplifying the coding process and providing them with access to data and resources that they would not otherwise have. APIs also benefit providers, who can generate new revenue streams by providing valuable data and services to each software development company for a fee. However, these APIs may be subject to the threat of malicious attackers.  In consequence, sensitive data of a network may be compromised. What are these attacks and how can a developer secure an API? We will discuss all of that in this article.

Photo by Douglas Lopes on Unsplash

What is API?

Web APIs (Application Programming Interfaces) enable app developers to call data from external sources into the applications they create.

For example, in a travel app, web API calls to retrieve availability and pricing data from the various hotel, airlines, cruise lines, tours, car rentals, and other companies.

APIs benefit app developers by simplifying the coding process and providing them with access to data and resources that they would not otherwise have. API also benefits providers who can generate new revenue streams by providing valuable data and services to developers for a fee. Finally, it benefits consumers who value innovative, interactive, and multifunctional apps that offer a variety of services.

What is API Security?

Web API Security is concerned with data transfer via APIs connected to the internet. The open standard for access delegation is OAuth (Open Authorization). It allows users to grant third-party access to web resources without sharing passwords. OAuth is the technology standard that allows you to share videos on social media with a single “share” button.

Potential Risks of API

The disadvantage of publicly available web APIs is that they may pose a significant risk to API providers. APIs are intended to provide outsiders with access to your data: behind every API is an endpoint—the server and its supporting bases, that respond to API requests.

In terms of potential vulnerability, an API endpoint is similar to any Internet-facing web server; the more free and open access the public has to a resource, the greater the potential threat from malicious actors.

API abuses have progressed from infrequent to the most common attack vector resulting in data breaches for enterprise web applications. In the worst-case scenario, not only is the company’s data at risk but so is its infrastructure.

 One type of attack enables attackers to gain access to the network by exploiting a vulnerable API. If they are unsuccessful in escalating privileges, they will be able to pivot to other forms of attacks and gain a foothold in the network.

When the right multi-level attack strikes, this could result in the compromise of an organization’s most sensitive data, whether it is personally identifiable information (PII) or intellectual property (IP).

Common Attacks against API

APIs are vulnerable to the many types of attacks that defenders and software engineers have faced in their networks and web-based apps for years. None of the following attacks are novel, but they can easily strike against APIs.

These are examples of common attacks:

1.    Injection

This happens when an attacker inserts a malicious code or command into a program where a user ordinarily inputs a username or password. SQL injection is one of the types of injection attacks that allows an attacker to take control of an SQL database.

2.    Cross-site Scripting (XSS)

This is a type of injection attack where an attacker exploits a vulnerability to insert a malicious script which is frequently JavaScript, into the code of a web app or webpage.

3.    Distributed Denial-of-Service (DDoS) Attacks

This kind of attack renders a system, network, or website unavailable to intended users. This attack works by flooding the network with more traffic than it can handle. API endpoints are now common targets of DDoS attacks.

4.    Man-in-the-Middle (MitM) Attacks

These attacks occur when an attacker intercepts communication between two systems and impersonates each other, acting as an invisible proxy between the two. MitM attacks on API can happen between the client (app) and the API, or between the API and its endpoint.

5.    Credential Stuffing

This attack involves the use of stolen credentials on the API authentication endpoint to gain unauthorized access.

How do you Secure API?

1.    Prioritize your API Security

It should not be an afterthought or considered “someone else’s problem.” Organizations stand to lose a lot if their API is not secure. Make security a priority and build it into your APIs as they are developed.

2. Keep track of and manage your APIs

Whether a company has a dozen or hundreds of publicly accessible APIs, it must be aware of the existence of these APIs. In that way, it can secure and manage them. Companies must perform perimeter scans to discover and inventory their APIs before collaborating with DevOps teams to manage them.

3.    Make use of a solid authentication and authorization solution.

Many publicly available APIs suffer from poor or non-existent authentication and authorization. Broken authentication occurs when APIs do not enforce authentication as is frequently the case with private APIs designed for internal use only. This also happens when an authentication factor is something the client knows, has, or is easily broken into.

Because APIs provide access to an organization's databases, it is critical that access to them is strictly controlled. Use solutions based on solid, proven authentication and authorization mechanisms such as OAuth2.0 and OpenID Connect whenever possible.

4. Encrypt traffic using TLS

Some organizations may choose not to encrypt API payload data that is considered non-sensitive, but TLS encryption should be considered essential for organizations whose APIs routinely exchange sensitive data such as login credentials, credit card, social security, banking, and health information.

5. Don’t expose any more information than is necessary.

Some APIs reveal far too much information, whether it’s the amount of extraneous data returned by the API or information revealing far too much about API endpoint. This usually happens when an API delegates the task of filtering data to the user interface rather than the endpoint. Ensure that APIs only return the information required to perform their function. In addition, make data access mandatory.

CONCLUSION

APIs are widely regarded as the preferred method for developing modern applications, particularly for mobile and Internet of Things (IoT) devices. While the concept of bringing information into a program from an external source is not new, constantly evolving application development methods and the pressure to innovate mean that some organizations may not yet understand the potential risks associated with making their APIs publicly available.

The good news is that obtaining them is not a difficult task. Most organizations already have measures in place to combat well-known API-targeting attacks such as injection, cross-site scripting, distributed denial-of-service, and others.

Many of the best practices mentioned above are also likely to be well-known to seasoned security professionals. If you are unsure where to start, start at the top and work your way down. Whatever numbers of APIs your organization chooses to make public, the ultimate goal should be to establish strong API security policies and manage them proactively over time.