Through Application Programming Interfaces (API), businesses are quickly expanding their ecosystem by enabling easy access to data and communication with third-party applications and services. The ability of an API to enable communication across various apps accelerates development timelines and enables reuse. However, because APIs are built to share important data, they are also an attractive target for bad actors. To safeguard organisational data, companies must constantly guard against API attacks.
“API attackers are ruthless and relentless.”
APIs play a significant role in the current web environment. They enable information interchange, task-switching, and communication between various software systems. APIs have drawn bad actors, and 2.1% of overall API traffic is malicious traffic. To safeguard private information and stop illegal access, APIs must be secure, just like every other computer component. Traditional security tools cannot detect the low-and-slow patterns of API attacks. To combat this threat, organizations need to adopt purpose-built technology and a dedicated API security strategy.
A good understanding of the common attacks against APIs will help to develop a robust security strategy that organisations should implement. The Open Web Application Security Project (OWASP) has highlighted ten common API attacks, which are:
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging and Monitoring.
What are some of the top recommendations for ensuring API security?
Choose Your Web Services
The Simple Object Access Protocol (SOAP), a communications protocol, and the Representational State Transfer API (REST API or RESTful API), a set of architectural principles for data transmission, are the two most popular ways to access online services via APIs. They employ various formats and semantics, necessitating multiple security measures. Use SOAP if security and standardisation are your primary considerations. While both choices support SSL/TLS, SOAP adds Web Services Security, built-in error management, and identity verification through intermediaries, rather than just point-to-point verification, as offered by SSL/TLS. While SOAP can only handle XML and HTTP, REST is compatible with various data output formats, including JSON, comma-separated values, and HTTP. REST is a simpler approach to web services because it only accesses data.
Store API keys
API keys identify and validate access for the application or website that uses an API request. Additionally, they can detect usage patterns and prevent or throttle calls made to an API. API keys must be managed carefully because they are less secure than authentication tokens. It is vital to keep API keys out of the application’s source tree and out of the code where they can mistakenly be exposed. Instead, keep them in files or environment-controlled variables that are not part of the application’s source tree. Use a key management service which safeguards and controls API keys for applications. Even with these safeguards, erase any unnecessary keys to reduce attack exposure, and periodically generate new keys, especially if you suspect a breach.
Authenticate and Authorize Using OAuth and tokens
OAuth (Open Authorization) is an open standard for authorization that allows users to share their private resources (such as photos, videos, and documents) with another site without revealing their login credentials. This is accomplished because the original resources are stored on a different site. An API must perform authentication before processing a request because it needs to confirm the sender’s (the user or programme) identity. An authentication token, a string of characters that acts as a user’s unique identification, multi-factor authentication, and/or password, is typically used by APIs to establish authentication. An API compares the token sent in the request with one kept in its database to authenticate a request using that token. A company can track those entrusted with its resources by using tokens. OAuth is built on HTTP, making REST APIs a natural fit. OAuth gives API administrators a method to grant authentication credentials on a fundamental level to approved third parties.
Use access control
Organizations that want to allow third parties to access internal data and systems through APIs must implement the zero-trust security model. These controls must address who, what, and when access is granted, as well as checks on data access, creation, update, and deletion. To provide baseline security, such as scanning for signature-based threats and injection-based attacks, APIs should be kept behind a firewall, web application firewall, or API gateway that may be accessed using a secure protocol, such as HTTPS. Geo-velocity checks offer context-based authentication by assessing access based on the distance travelled between the last login and the present login attempts. Along with applying rate limitations and geo-velocity checks, well-designed APIs can also serve as an enforcement point for regulations like geo-fencing and I/O content validation and sanitization.
Log and monitor API activities
All APIs must be listed in a registry to provide details such as their name, function, payload, usage, access, live date, retired date, and owner. This would prevent the development of shadow or silo APIs that may have been created due to mergers, acquisitions, test releases, or deprecated versions but were forgotten, never documented, or developed outside of a primary project. The “who, what, and when” of the information to be logged should be noted to satisfy compliance and audit standards and to facilitate forensic analysis in the case of a security incident. Links to the paper or manual, including all technical API requirements, such as functions, classes, return types, arguments, and integration procedures, should be included in the API registry.
Since the activity of bad actors targeting APIs can get past traditional defenses such as WAFs and API gateways, organizations should look at security platforms purpose-built to protect APIs. Companies need a way to baseline typical API behavior so they can identify the anomalies. Then they need to understand which of those anomalies are simple mistakes vs. malicious traffic. Humans can’t keep up with all this analysis, so organizations need to look for platforms that tap AI and ML to identify the activities of bad actors.
The intricacies of the API ecosystem make it challenging to safeguard APIs, and something more than conventional security solutions are required. Putting the above best practices into practice can help you strengthen your security posture and safeguard your organisation’s APIs. Building modern apps requires using APIs, and a compromised API can result in data breaches and other security concerns. Since critical software operations and data are frequently accessed through APIs, APIs are gradually evolving into the main targets of attacks. Establishing robust API security standards and actively managing them should be a top priority on an organisation’s list of security goals.
About the Author: Mosopefoluwa is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant cybersecurity content for organizations and spreading security awareness. She volunteers as an Opportunities and Resources Writer with a Nigerian based NGO where she curated weekly opportunities for women. She is also a regular writer at Bora.
Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.