API Security Best Practices
If you haven’t been paying attention to API security best practices, it’s time to start. According to a report by Salt Security, from December 2020 through December 2021, API attacks increased by 681%. Moreover, 95% of survey respondents suffered at least one security incident during that timeframe, with 40% facing more than 100 attacks monthly.
Despite the volume of attacks, more than one-quarter (27%) of organizations have no API security strategy, while another 54% pointed to having only a basic strategy. In addition, the vast majority of respondents (82%) lacked confidence in their knowledge about APIs.
APIs Are Risky Business
APIs help developers build client-side applications. They’re central to microservices architectures. However, APIs are typically available through public networks, making them readily accessible. Moreover, most come with a great deal of documentation, making them easy to reverse engineer.
APIs sit between third-party developers and your company’s resources. So by design, APIs provide outsiders access to your data. In addition, endpoints sit behind those APIs to respond to the API requests.
Those access points create potential threats from malicious actors, especially Denial-of-Service (DoS) attacks. Unfortunately, APIs typically offer weak access control, if any. And that substantially increases your attack surface. Indeed, Gartner estimates that API threats will become the most frequently used attack in 2022.
Regardless of your company size, a successful API breach compromises your data and entire IT infrastructure. If a cybercriminal breaks into your network, they have the means to move laterally through it to target your most sensitive data.
Common API Attacks
According to Salt Security’s report, the most common problems with APIs include API vulnerabilities (54%), authentication issues (46%), and data scraping tools (20%). The chart below summarizes the concerns in more detail.
Cybercriminals use various means to target these weaknesses.
Stolen authentication results in numerous successful cyberattacks, and it’s no different with APIs. By hijacking an authorized user’s identity, cybercriminals can access your data under the guise of legitimacy.
Hackers insert malicious code or commands into an API. For example, SQL injection involves injecting code into a SQL database to gain control.
Cross-site Scripting (XSS)
A type of injection attack, XSS involves a hacker taking advantage of an API vulnerability by inserting a malicious script into the code.
Man-in-the-Middle Attack (MitM)
Here, an attacker intercepts traffic between an end-user and an API by acting as an invisible proxy. MitM attacks happen between the client and the API or between the API and endpoint.
DoS attacks flood a server’s resources with more traffic than they can handle. As a result, it becomes inaccessible. So, API endpoints present a growing attack surface for DoS threats.
As you can see, cybercriminals have no shortage of options when targeting APIs. And that makes it essential that you deploy API security best practices.
REST APIs Versus SOAP APIs
REST APIs account for more than 80% of APIs. Another common type is SOAP. Here’s a brief overview of each.
REST stands for representational state transfer. So a REST API uses multiple standards like HTTP, JSON, URL, and XML requests to access and use data. In addition, it’s an architectural style used most often in web services development. Finally, REST technology allows for efficient internet usage because it uses less bandwidth.
On the other hand, SOAP permits processes using different operating systems like Linux and Windows to communicate via HTTP and XML. That combination creates a payload resulting in larger-sized files versus REST APIs. In addition, SOAP APIs create, recover, update, and delete records like accounts, passwords, leads, and custom objects.
10 Best Practices for Securing APIs
Let’s start with best practice number one – make sure your organization prioritizes security. As you read earlier, too many organizations fail to address API security adequately, if at all. Your organization needs to create an environment dedicated to security in your IT operation. And that concept applies not only to API security but to your entire cybersecurity approach.
With that caveat in mind, let’s look at some things you can do to mitigate your risks with APIs.
1. Inventory Your APIs and Stay Current
Start by conducting perimeter scans to identify and inventory your APIs. After all, you can’t manage what you don’t know.
Equally important, stay current with the latest cybercriminal tricks used to penetrate your systems. The OWASP API top 10 security list offers insights into how to mitigate the newest API vulnerabilities.
2. Authentication and Authorization
As mentioned, APIs provide an entry point to your organization’s data. So make sure you enlist proper authentication and authorization processes.
Typically, APIs authenticate with a password, MFA, or authentication token. The API matches the one requested with the one stored in its database with tokens. As a result, tokens provide a reliable means of helping your organization track your resources.
The OAuth protocol is widely used and an accepted standard for API user authentication. It describes how a third-party application can access data from an application. However, it doesn’t directly handle authentication, serving as a framework for authorization.
OAuth3 allows you to connect via another provider’s credentials for single sign-on (SSO). It’s based on HTTP, making it a solid fit for REST APIs. Admins can use OAuth to create custom access rules that determine permitted APIs.
After identifying the user sending the request, an API grants access only to the authorized resources. For example, a user might be granted access to the API but only be allowed to manage specific areas. In addition, REST APIs must authenticate each server request, including multiple requests from the same user.
Consequently, authorization requires the management of each user role. It’s best to adhere to least privilege access, where users access only what’s necessary about their role and nothing more.
3. Encrypt Traffic
If your APIs routinely handle sensitive data like credit cards, social security numbers, banking information, health information, and the like, encryption is a must. In addition, any data transfer from the user to the API requires proper encryption and vice versa.
As a result, you should consider Transport Layer Security (TLS) essential. You likely know TLS from its previous permutation, Secure Socket Layers (SSL). TLS serves as a standard for encrypting information REST API communications. It encrypts data being transferred and not the data sitting behind your API. So make sure you encrypt the database layer as well.
Most cloud service providers or hosting services manage TLS on your behalf.
4. Only Communicate What’s Necessary
Often, APIs reveal too much information. For example, they may include excessive data or reveal too much about their endpoint. So make sure your APIs only return the required information. Moreover, enforce your data access controls at the API level.
APIs also contain keys, passwords, and other information, primarily because they’re a developer’s tool. Unfortunately, that leaves the door open for hackers to access your data or change the API’s core without your knowledge.
You should remove that often overlooked information before making them publicly available. For instance, consider using scanning tools in your processes to limit accidental exposure of critical content.
5. Rate Limiting
The more popular the API, the more likely it’s susceptible to attacks. So, control the number of requests to an API server by establishing thresholds. For example, only permit 10,000 requests per day per account. Rate limiting helps prevent DDoS attacks that use brute force.
In addition, you can make requests through quotas and throttling. The example above uses a quota to establish a threshold. Conversely, throttling slows a user’s connection but still allows the use of the API. For instance, high call volumes could signal an exploit relating to a DoS attack.
6. Apply an API Gateway
API gateways manage and control API traffic, so deploy a solid gateway to reduce security risks. A reliable API gateway lets you validate traffic and control the APIs’ use.
7. Service Mesh
A service mesh affords another layer of management and control for APIs. It optimizes how requests move from one service to the next, including proper authentication, access control, and other security measures like an API gateway.
API management is moving to the service communication level, making IT solutions available at the service mesh level. That’s especially critical for scaling the use of microservices. A service mesh allows you to automate the API management process as API use increases.
8. Use API Firewalls
Set up a two-layer approach. First, set up a DMZ that works in conjunction with the API firewall to carry out fundamental security measures – checking message size, identifying SQL injection, etc.
Next, include a LAN firewall as the second layer. It protects the content of information.
9. Log API Activity
Sometimes, despite deploying API security best practices, bad things happen – a breach. So log all API activity. It allows you to do some detective work to uncover how the intruder accessed the API and what they did. You can also use the input to harden your API.
10. Test Your APIs
Instead of waiting for an attack, find out how secure your APIs are by conducting tests. And conduct those tests routinely. You’ll want to uncover:
- Are endpoints only available to authenticated users?
- Are those endpoints and access limited to a user’s assigned roles?
- Does the API return the correct response and only what’s required?
- Are invalid requests rejects?
- Does the API handle spikes in activity?
- Is the API open to injection?
By deploying these best practices for API security (none of these IT solutions should be foreign to you), you can substantially reduce the risk of a breach. Moreover, you must take these recommendations to heart. APIs have become a preferred method for creating applications. That’s especially true for mobile and Internet of Things devices.
Our IT Solutions Always Use Best Practices
As a local IT company serving Harrisburg, Lancaster, York, Carlisle, and surrounding areas, we focus our IT services offering on small and medium-sized businesses. We understand the budget and staffing challenges you face. Give us a call to set up a consultation. Or sign up for a FREE risk assessment. We’ll expose some of your core issues that could open the door to a successful cyber attack. Get one