Guide to API Security in 2022

Guide to API Security in 2022

Introduction

APIs are essential to increasing innovation in our digital economy.
 
Garner, Inc forecasts that by 2020, more than 25 billion things will connect to the internet.
 
That represents an incremental revenue opportunity over $300 billion fueled by API. 
 
Yet APIs expose a broader attack surface for cybercriminals.
 
That’s because APIs expose application logic and sensitive data.
 
This article explores how to secure APIs.
 
We’ll discuss REST APIs vs SOAP APIs.
 
We’ll review the OWASP API Top 10.
 
Plus we’ll talk about best practices to secure your APIs.

What is the API Economy?

The API economy emerges when APIs become part of an organizational model.
 
APIs have been strategic enablers for several online business models. 
 
Amazon, for example, is more than an internet retailer, it is also a popular merchant gateway.
 
Amazon’s platform builds on APIs that allow easy onboarding of new merchants. 
 
Banks have based payment infrastructures and clearing houses on well-defined APIs for decades.
 
APIs should be an integral part of your business strategy.

Web API Security

Web APIs connect the client-side of an application with the server-side.
 
Web API security includes but is not limited to access control and privacy. 
 
An attack on an application may bypass the client-side application and focus on the APIs.
 
Microservices often use APIs because they are available through public networks.
 
APIs can be sensitive to denial of service DDOS-type incidents. 
 
REST API Security vs. SOAP API Security 
 
There are two main types of API implementations:
 
  1. REST (Representational State Transfer). 
 
      2. SOAP (Simple Object Access Protocol).

REST API Security

Transport Layer Security (TLS) encryption supports via REST APIs, which communicate over HTTP.
 
TLS encrypts and verifies to ensure that no third parties can read the data sent.
 
Hackers that try to steal your credit card information will have no access to your data. 
 
REST APIs use JavaScript Object Notation (JSON). It is faster to use REST APIs than SOAP APIs. They don’t need to keep data, which makes them more efficient.

SOAP API, Security

SOAP APIs provide a built-in security mechanism called Web Services Security (WS Security). They check authentication and authorization. They use XML encryption, XML signatures, and SAML tokens.

SOAP is the right approach for standardizing and encrypting Web Services. SOAP is a better alternative than REST. 

SOAP limits to XML but REST can manage any data format. JSON is easier to understand than XML. The use of REST for data transportation saves money on computer infrastructure costs.

API Management

API management helps businesses make their digital resources. 

Below are some ways to manage API security:

1. Authentication

HTTP Basic Authentication is a method for a client to authenticate with the API Gateway.

2. OAuth2.0 Authentication

The standard mechanism for authorization is OAuth 2.0.
 
The OAuth 2.0 authorization framework lets a third party get limited access to an HTTP service.
 
This works by enabling the third-party application to get access on its own behalf. 
 
 In the context of OAuth authentication flows, there are a few different options.
 
Supported OAuth flows include:
 
  • Username password flow: where the program has direct access to user credentials.
 
  • Web server flow: where the server can protect the consumer’s secret.
 
  • User-agent flow: used by applications that cannot store the consumer secret.
 
In the OAuth2.0 authentication, the user will send credentials in the request body. Like basic authentication but also introduce tokens. Tokens store on the server-side. The same token calls the service any number of times until it expires. The users can refresh to get the new one.
 
The problem is this method produces more tokens. Expired tokens on the server will increase the server load.

3. JSON Web Token Authentication

A JWT Token is a JSON Object and base64 encoded and signed with a shared key. The JWT ensures that only a defined user can generate a unique token. The JWTs are not encrypted. Anyone with access to the token will get the data.

Benefits of the JWT

  • The token contains all of the information necessary to authenticate the user.
  • It’s easy to avoid relying on centralized authentication servers and databases.
  • Verification entails examining the signature and several other factors.
  •  JWT is a medium-life token with an expiration date specified between a few weeks to longer
  • Scalability on contemporary web server hardware is easy…

4. HTTP Signatures

In JWT, the authorization header has base64 encoded and signed. If anyone gets the JWT token and request, they can update the HTTP Request body. HTTP Signatures allow the client to sign the HTTP Message. So, those others can touch the request on the network.

Amazon, Facebook, and Google use HTTP Signatures. In 2016, Signing HTTP Messages came into practice. It is a new work in progress specification. As per this specification, the benefit of signing the HTTP message, for the purpose of end-to-end message integrity. A client can authenticate with the same mechanism without the need for many loops.

Understanding API Security Vulnerabilities

OWASP has always been the go-to authority on the most common and insidious security issues found in the software we use everyday, and it’s all backed up by rich data.

If there is any baseline for which organisations should strive, it’s conquering this OWASP API Security Top 10 listed below.

OWASP API SECURITY TOP 1O

API1: Broken Object Level Authorization

API2: Broken Authentication

API3: Excessive Data Exposure

API4: Lack of Resource & Rate Limiting

API5: Broken Function Level Auth

API6: Mass Assignment

API7: Security Misconfiguration

API8: Injection

API9: Improper Asset Management

API10: Insufficient Logging & Monitoring

API SECURITY BEST PRACTICES

Here are some of the most common ways to improve API Security:

 

  1. Establish your vulnerabilities. 

 

There is a need to keep the operating system, network, and API components updated. Look for flaws that can let attackers gain access to your APIs.  Sniffers detect security issues and track data leaks.

 

  1. Place the quota and throttling.

 

Place a quota on how often your APIs call and check usage in history. Misuse of an API is usually shown by a spike in calls. 

 

  1. Use an API gateway to connect to your API. 

 

API gateways are the primary enforcement point for API traffic. It will allow you to control and analyse how your APIs authenticate.

 

  1. Use tokens.

 

Create trusted identities. Use tokens with those identities to control access to services and resources.

 

  1. Use Encryption and digital signatures.

 

Encrypt your data using TLS. Utilize digital signatures to verify that only authorized individuals have access to and edit data.

 

  1. Focus on security.

 

APIs should never be considered incidental. Organizations stand to lose a great deal by failing to secure APIs. As a result, make security a priority and include it into your APIs.

 

  1. Validate input.

 

Never transmit data to an endpoint via an API without verifying it first.

 

  1. Make use of rate-limiting. 

 

Limiting then requests can assist in preventing denial-of-service attacks.

 

  1. Use a robust authentication and authorization system. 

 

When APIs do not enforce authentication, broken authentication happens.

Utilize login and authorization technologies that are well-established, such as OAuth2.0 and OpenID Connect.

Conclusion

We’ve reviewed the OWASP API Security Top 10 vulnerabilities to better protect API.
 
We can manage risk management by using well established authentication and authorization techniques.
 
For example, HTTP Signatures, which Amazon, Facebook, and Google all use.
 
We’ve reviewed other API best practices including the use of tokens, and encryption.
 
We also touched on digital signatures, as well as the importance of validation of input.
 
Read our article on API Security Best Practices in 2022 for more info on the OWASP API Security Top 10.
WHOIS vs RDAP

WHOIS vs RDAP

WHOIS vs RDAP What is WHOIS? Most website owners include a means to contact them on their website. It could be an email, an address,

Read More »
API Load Testing With Locust

API Load Testing With Locust

API Load Testing With Locust API Load Testing With Locust: Intro You’ve probably been in this situation before: you write code that does something, an

Read More »
Top OATH API Vulnerabilites

Top OATH API Vulnerabilities

Top OATH API Vulnerabilities Top OATH API Vulnerabilities: Intro When it comes to exploits, APIs are the greatest place to start. API access usually consists

Read More »

Application Security Training Platform | Security Sherpa