The demand for data-centric projects is on the rise, leading to the increased use of REST and SOAP APIs. With an increasingly digitized world, it’s crucial to put security at the forefront of IT and software strategy.
APIs (or Application Programming Interfaces) function as messengers between applications. They are the translator, allowing disparate systems to interact with one another. While great news for companies and easing complexity for developers, APIs also come with their own challenges.
The use of APIs creates a new target for cybercriminals, adding another vulnerability to your ecosystem. Without the right security measures, hackers can steal your API keys and run DoS (Denial of Service) attacks. By loading your server with data requests, your product or service is rendered inaccessible to your users. This often leads to ransom demands as cybercriminals see an opportunity to capitalize on your desperation to restore your service.
How can you ensure your security approach is comprehensive enough to protect your APIs, and thereby, your data and users? Below we outline a few key elements to address to keep your APIs (and your company) safe.
Authentication
User authentication is paramount to API security. Authentication ensures you know exactly who is using what and allows you to control access. There are a few approaches to verifying user identity:
- HTTP authentication, requiring a user ID and password
- API key, in which a user must provide a unique identifier for each API
- Security tokens, generated by an Identity Provider (IdP) server; the most common protocol for this method is OAuth2
Organizations face the risk of credential stuffing, in which cybercriminals leverage ID and password databases to overload APIs with false requests. The use of web apps for customer interaction has prompted hackers to attack APIs powering mobile apps.
Multifactor authentication is a must for organizations, adding another layer to the login and access requirements for APIs. Strict requirements for password complexity are also crucial.
Encryption
It goes without saying that data is, quite truly, the lifeblood of any organization. No matter the nature of a business, data can be used in nefarious ways if it falls into the wrong hands. For that reason, encryption is crucial.
Encryption ensures that any and all data transmitted is encoded and kept secure in transit. As hackers become more savvy, the need for strong data encryption is crucial.
Consider these approaches to API encryption:
- HTTPs - secures messages by protecting the request in transit and encoding with TLS (the successor to SSL). This is considered a basic-level encryption but cannot be counted on for protection from all man-in-the-middle attacks.
- JSON Web Token (JWT) - an open standard that enables the secure transmission of information between parties.
- Password Hash - protects the system using hashing algorithms such as SHA, MD5, PBKDF2, and others.
It is recommended to implement strong encryption for all API keys to protect user data and access to organizational data.
Authorization
API keys allow you to identify and admit users, but that’s not all. They can also be used for defining permission levels on a per-user basis. You are able to specify which actions are allowed upon entry through careful authorization.
Consider network permissions. Not everyone in an organization has access to all server data, and for good reason! So too not all users should have access to all APIs, or all actions. By enforcing authorization, you can ensure that only certain APIs are available to certain API keys and approve or deny requests accordingly. This will protect from malicious requests as well as human error.
Rate Limiting
In the case of DoS attacks, a significant number of pings or requests are made from a user in a short amount of time. While this may seem like an easy thing to detect, it can go unnoticed without the right measures in place.
Cybercriminals use bots to overwhelm a system by flooding the network with requests or overwhelming it with a large amount of information in an effort to trigger a crash. In doing so, legitimate users are unable to access the resource or service that they need.
Rate limiting can protect your API from DoS attacks. By tracking organizations or IP addresses and monitoring their requests, rate limiting will slow a user from initiating these requests to avoid a system crash. The system will throttle a user’s activity after detecting a repeat action within a specified timeframe - say, 200 attempted logins within one minute.
Third-Party Access
Unfortunately, even organizations with security as a priority fall victim to breaches or attacks. Oftentimes this can happen not through a direct hit to the company’s system, but via a compromise of a third party that has access to said system.
While not a tip applying specifically to your APIs, scrutinizing third-party access is a crucial and under-reported piece of advice. It’s crucial to validate these third parties for their viability, and to employ measures to continuously monitor their access. Organizations using your APIs are wise to send a security questionnaire to third-party partners, and to ensure a high level of security for their access to avoid any backdoor attacks.
Conclusion
Cybercrime is on the rise as tech-savvy opportunists are capitalizing on the increased use of APIs. It’s crucial to protect APIs by ensuring measures are in place for validation, authorization, encryption, and more. Putting in the extra effort from the start will save organizations both time and money to recover from malicious attacks.
About the Author: Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at Bora.