API SECURITY BEST PRACTICES 2023

Introduction

APIs are critical to business success. The focus must be to ensure their reliability and security. A majority of respondents to a 2021 Salt Security survey said they had delayed the launch of an app due to API security concerns.

Top 10 Security Risks of APIs

1. Insufficient logging & monitoring

When an attacker attempts to get into a system, they generate irregular traffic. They use a method of brute-forcing your authentication against your inputs.

2. Improper Assets Management

APIs tend to have more endpoints than traditional Web applications. Proper and up-to-date documentation is crucial. To avoid outdated API versions and exposed hosts you should manage hosts and given API versions. You should try to reduce debugger endpoints.

3. Injection

Injection vulnerabilities such as SQL or command injections occur when untrusted data is sent directly to an interpreter as part of a query or statement. As a result, attackers can trick the interpreter into executing unintended statements or accessing data without the appropriate permission.

4. Security Misconfiguration

Poor security configurations are often due to insecure default configurations.

Incomplete ad hoc configurations
Open cloud storage
Misconfigured HTTP headers
Unnecessarily enabled HTTP methods
Sharing resources from different sources
Output of detailed error messages containing security-relevant information

5. Mass Assignment

Mass assignment happens when binding the client to data models without proper filtering of properties leads to mass mapping. The attackers can change object properties by guessing them.

6. Broken Function Level Authorization

Broken function level authorization can happen when there are complex access control policies with different hierarchies, groups, and roles. An unclear separation between administrator and user functions leads to weaknesses in the authorization. Attackers can gain access to other users’ resources or administration functions.

7. Broken User Authentication

Authentication mechanisms often allow attackers to compromise authentication tokens or exploit implementation errors to temporarily or permanently impersonate other users.

8. Excessive Data Exposure

Concerning the generic use of APIs, developers tend to disclose all object attributes. Developers can expose object attributes if they don’t take confidentiality into account. Excessive data exposure can be caused by relying on the client side to filter the data before it shows to the user.

9. Lack of resource & Rate Limiting

The client or user can be requested. Not only can lack of resource and rate limiting affect API server performance and lead to denial of service attacks, but it also leaves the possibility for authentication weaknesses.

10. Broken Object level Authorization

APIs tend to expose endpoints that process object identifiers, creating a large attack surface in access control. Object-level authorization checks should include functionality that accesses a data source through input from the user.

How to Secure SOAP APIs

SOAP is a protocol specification that communicates with web pages. It is a W3C industry standard, XML format. SOAP implements a stateful message passing. SOAP integrates with WS-Security protocols. SOAP can guarantee the integrity and confidentiality of processed transactions with more encryption. By using XML, SOAP is the most verbose API style.

How to Secure Rest APIs

REST is a style of API architecture. REST is a simple interface for transferring information. When sending data, there is no conversion stage. The information sent in the original form has a beneficial effect on the client load. Data is in JSON or XML formats.

RESTful architectural requirements:

Not to contain state (stateless)
Caching.
Common Interface: This allows a consistent, application-independent interaction with the webserver.

In REST, all communication uses HTTP methods: GET, POST, PUT, PATCH, and DELETE. REST is used as a management API for CRUD (Create, Read, Update, and Delete). Install interaction with resources in lightweight scalable services. A resource is usually a data model object.

The Creation of secure RESTful APIs also imposes certain standard requirements:

Using the HTTPS protocol: crypto operation ensures the integrity of the transmitted data.
Rate-limits: It is necessary to check the load on the API. Dropping requests in case of overload
Authentication: User / application / device identification.
Audit log: Recording actions by creating an entry in the log file.
Control of access rights: Determination of access rights for working with resources.
Access to the business logic of the application.

It is by design that the REST API doesn’t keep any records. There is a restriction to access through local endpoints. When working with the REST architecture. It is customary to distinguish two levels of security:

The first level – getting access to API
The second level – getting access to the application

How to Secure APIs

To ensure API security, organizations should pay close attention to the following areas.

Access control
API protection
Threat protection

The API Gateway Pattern

The best security practice is to offload security responsibilities to an API gateway. The API gateway resides between the API backend and consumers. It will intercept all the requests by consumers and manage the security aspects.

API developers can focus on the business logic API functions. The API gateway manages security and access control.

API Access Control

API access control refers to the process of determining who has access to which APIs. What functionality of those APIs are being used by other applications.

Authentication is about identifying the entity requesting access to the API. Identification is either validation of whether the user knows a password.

Basic Authentication

This method uses an HTTP authentication process. User credentials are encoded using the base64 algorithm. The HTTP header attaches when sending a request.

Basic authentication is not enough to protect APIs against all complex security attacks. At least two people have to share the username and password. A third party can access a secured service by accessing the credentials. OAuth addresses these vulnerabilities.

OAuth Token

OAuth uses an access token. The credentials are not shared in a direct way. This token has a lifetime. This means even that token is not perpetual. This reduces the threat of theft. The token uses scopes. Access resources based on roles assigned to the user. Hence, OAuth for securing APIs is much safer than a password.

OIDC-based Authentication

OIDC – OpenID Connect. This authentication is to verify the identity of the end-user. It is based on the authentication performed by an authorization server. It obtains profile details about the user using the REST-like mechanism.

API Key-based Authentication

The API key is a string value passed by a client app to the APIM gateway. The client’s key saves information in the application database. The server will verify the client’s identity. When a user registers, the program generates a key.

This strategy defends against unwanted access. To restrict the number of API requests. The API key has several ways, including as a query parameter, in the query header, and as a cookie value.

Cookie-Based Authentication

A method of checking the content of cookies keeps all the information about the session. The user initiates a login request. It sends a response after a user has logged in. In the header of this response, there is a Set-Cookies field. This field contains information about:

the name of the cookie field
the value of the cookie field
how long does the cookie last

The next time the user needs to access the API. He will pass the value of the saved Cookie-field JSESSIONID with the key “Cookie” in the request header.

Token-Based Authentication

This token is then sent to the server inside the Authorization query header. After receiving the token, the server validates it. The server itself generates tokens for new users. The key, as opposed to tokens, can only allow access to API calls without the ability to get the user’s data.

JSON Web Tokens (JWT)

An authentication mechanism based on the use of a special type of token. It is a JSON data structure. A token of this type has a header containing general information. A body contains a payload (user-id, group, data), and a cryptographic signature.

This approach is the optimal way to restrict REST API access. It is one of the most secure mechanisms for sending data between two parties.

JWT is the primary access control technique for the created application. The service does not rely on third-party resources. Tokens are simple to use, have a convenient data description format.

The use of the HTTPS protocol in combination with a cryptographic signature provides a high level of security.

When securing a web service, input control deserves special attention. You must ensure that any data on which the application will operate meets the API standard.

The developer community has formed some recommendations when validating the input data:

To conduct data validation both on the client-side and on the server-side
To put in place server allow lists, you should use the built-in functions
It is always necessary to check the content type, size, and length of the query
Use parameterized queries instead of manual queries to the database on the backend
To make advantage of server allow lists
To keep logs of errors and monitor for attempts to fuzz data inputs

Authorization

The purpose of the authorization is to determine access levels.

XACML-based Access Control

XACML is an XML-based, declarative access control policy language based on XML. It can provide a standardized way of validating authorization requests. It defines access control policies.

Open Policy Agent OPA

OPA is an open-source, general-purpose policy engine. OPA will specify policy-as-code and simple APIs to offload policy decision-making. The policy decisions are generated by evaluating the query input and against data. These policy decisions will determine which users can access resources.

Speedle+

Speedle+ is an open-source project to address access control requirements. Externalize access control logic to a policy engine using an access control mechanism.

Rate Limiting

Allowing unlimited access to APIs is not a good practice. The best solution is to have a rate-limiting mechanism.

Rate-limiting to protect APIs will be helpful in the following ways:

Prevent DDoS attacks- Preventing attackers from flooding a network with so much traffic.

Put in place API usage plans- This will be beneficial when monetizing APIs.

Enforce fair usage policies – No one can consume all the allocated resources or bandwidth.

Prevent the system from over usage- With proper rate-limiting. It is possible to protect APIs and backend from sudden overuse and request spikes.

Conclusion

APIs are now essential in modern internet and digital app development. Apps, services, and software platforms can use them to arrange interactions. RESTinterfaces account for over 80% of all public and proprietary APIs. Read our article on WHAT IS AN API to have a better understanding of the significant distinctions between REST and SOAP APIs.