Guide to API Security in 2023
Introduction
APIs are essential to increasing innovation in our digital economy. Garner, Inc forecasts that by 2020, more than 25 billion things will connect to the internet. That represents an incremental revenue opportunity over $300 billion fueled by API. Yet APIs expose a broader attack surface for cybercriminals. That’s because APIs expose application logic and sensitive data. This article explores how to secure APIs. We’ll discuss REST APIs vs SOAP APIs. We’ll review the OWASP API Top 10. Plus we’ll talk about best practices to secure your APIs.
What is the API Economy?
The API economy emerges when APIs become part of an organizational model. APIs have been strategic enablers for several online business models. Amazon, for example, is more than an internet retailer, it is also a popular merchant gateway. Amazon’s platform builds on APIs that allow easy onboarding of new merchants. Banks have based payment infrastructures and clearing houses on well-defined APIs for decades. APIs should be an integral part of your business strategy.
Web API Security
Web APIs connect the client-side of an application with the server-side. Web API security includes but is not limited to access control and privacy. An attack on an application may bypass the client-side application and focus on the APIs. Microservices often use APIs because they are available through public networks. APIs can be sensitive to denial of service DDOS-type incidents. REST API Security vs. SOAP API Security There are two main types of API implementations:
- REST (Representational State Transfer).
2. SOAP (Simple Object Access Protocol).
REST API Security
Transport Layer Security (TLS) encryption supports via REST APIs, which communicate over HTTP. TLS encrypts and verifies to ensure that no third parties can read the data sent. Hackers that try to steal your credit card information will have no access to your data. REST APIs use JavaScript Object Notation (JSON). It is faster to use REST APIs than SOAP APIs. They don’t need to keep data, which makes them more efficient.
SOAP API, Security
SOAP APIs provide a built-in security mechanism called Web Services Security (WS Security). They check authentication and authorization. They use XML encryption, XML signatures, and SAML tokens.
SOAP is the right approach for standardizing and encrypting Web Services. SOAP is a better alternative than REST.
SOAP limits to XML but REST can manage any data format. JSON is easier to understand than XML. The use of REST for data transportation saves money on computer infrastructure costs.
API Management
API management helps businesses make their digital resources.
Below are some ways to manage API security:
1. Authentication
HTTP Basic Authentication is a method for a client to authenticate with the API Gateway.
2. OAuth2.0 Authentication
The standard mechanism for authorization is OAuth 2.0. The OAuth 2.0 authorization framework lets a third party get limited access to an HTTP service. This works by enabling the third-party application to get access on its own behalf. In the context of OAuth authentication flows, there are a few different options. Supported OAuth flows include:
- Username password flow: where the program has direct access to user credentials.
- Web server flow: where the server can protect the consumer’s secret.
- User-agent flow: used by applications that cannot store the consumer secret.
In the OAuth2.0 authentication, the user will send credentials in the request body. Like basic authentication but also introduce tokens. Tokens store on the server-side. The same token calls the service any number of times until it expires. The users can refresh to get the new one. The problem is this method produces more tokens. Expired tokens on the server will increase the server load.
3. JSON Web Token Authentication
A JWT Token is a JSON Object and base64 encoded and signed with a shared key. The JWT ensures that only a defined user can generate a unique token. The JWTs are not encrypted. Anyone with access to the token will get the data.
Benefits of the JWT
- The token contains all of the information necessary to authenticate the user.
- It’s easy to avoid relying on centralized authentication servers and databases.
- Verification entails examining the signature and several other factors.
- JWT is a medium-life token with an expiration date specified between a few weeks to longer
- Scalability on contemporary web server hardware is easy…
4. HTTP Signatures
In JWT, the authorization header has base64 encoded and signed. If anyone gets the JWT token and request, they can update the HTTP Request body. HTTP Signatures allow the client to sign the HTTP Message. So, those others can touch the request on the network.
Amazon, Facebook, and Google use HTTP Signatures. In 2016, Signing HTTP Messages came into practice. It is a new work in progress specification. As per this specification, the benefit of signing the HTTP message, for the purpose of end-to-end message integrity. A client can authenticate with the same mechanism without the need for many loops.
Understanding API Security Vulnerabilities
OWASP has always been the go-to authority on the most common and insidious security issues found in the software we use everyday, and it’s all backed up by rich data.
If there is any baseline for which organisations should strive, it’s conquering this OWASP API Security Top 10 listed below.
OWASP API SECURITY TOP 1O
API1: Broken Object Level Authorization
API2: Broken Authentication
API3: Excessive Data Exposure
API4: Lack of Resource & Rate Limiting
API5: Broken Function Level Auth
API6: Mass Assignment
API7: Security Misconfiguration
API8: Injection
API9: Improper Asset Management
API10: Insufficient Logging & Monitoring
API SECURITY BEST PRACTICES
Here are some of the most common ways to improve API Security:
- Establish your vulnerabilities.
There is a need to keep the operating system, network, and API components updated. Look for flaws that can let attackers gain access to your APIs. Sniffers detect security issues and track data leaks.
- Place the quota and throttling.
Place a quota on how often your APIs call and check usage in history. Misuse of an API is usually shown by a spike in calls.
- Use an API gateway to connect to your API.
API gateways are the primary enforcement point for API traffic. It will allow you to control and analyse how your APIs authenticate.
- Use tokens.
Create trusted identities. Use tokens with those identities to control access to services and resources.
- Use Encryption and digital signatures.
Encrypt your data using TLS. Utilize digital signatures to verify that only authorized individuals have access to and edit data.
- Focus on security.
APIs should never be considered incidental. Organizations stand to lose a great deal by failing to secure APIs. As a result, make security a priority and include it into your APIs.
- Validate input.
Never transmit data to an endpoint via an API without verifying it first.
- Make use of rate-limiting.
Limiting then requests can assist in preventing denial-of-service attacks.
- Use a robust authentication and authorization system.
When APIs do not enforce authentication, broken authentication happens.
Utilize login and authorization technologies that are well-established, such as OAuth2.0 and OpenID Connect.
Conclusion
We’ve reviewed the OWASP API Security Top 10 vulnerabilities to better protect API. We can manage risk management by using well established authentication and authorization techniques. For example, HTTP Signatures, which Amazon, Facebook, and Google all use. We’ve reviewed other API best practices including the use of tokens, and encryption. We also touched on digital signatures, as well as the importance of validation of input. Read our article on API Security Best Practices in 2022 for more info on the OWASP API Security Top 10.