5 Golden Rules of API Security
API, short for Application Programming Interface, allows two or more programs and applications to interact with each other by using one set of protocols and defined rules. Currently, APIs are used by different IT systems both big and small covering mobile applications, web applications, IoT systems, etc. Approximately 85 percent of web traffic used APIs in their IT system.
Most of the big companies including Google, Facebook, Spotify, Twitter, etc. use APIs in their services. Facebook, Spotify, Twitter, etc. are some of the companies that publicize the whole API documentation to help developers.
Types of API
- SOAP - is short for Simple Object Access Protocol. It is a web API protocol that is simple but effective.
- REST - short for Representational State Transfer. It comes with the characteristics of a client-server model, statelessness, caching, etc.
- GraphQL - query language for API with the advantage of retrieving all data in a single request.
OWASP API Security Top 10 - 2019
OWASP is an open security community that releases security vulnerability types that are found more widespread in software and application. Below is the list of vulnerabilities type that is mostly found in API-based applications and software:
API | Security Issue Category |
API1:2019 | Broken Object Level Authorization |
API2:2019 | Broken User Authentication |
API3:2019 | Excessive Data Exposure |
API4:2019 | Lack of Resources & Rate Limiting |
API5:2019 | Broken Function Level Authorization |
API6:2019 | Mass Assignment |
API7:2019 | Security Misconfiguration |
API8:2019 | Injection |
API9:2019 | Improper Assets Management |
API10:2019 | Insufficient Logging & Monitoring |
This blog talks briefly about the five golden rules of API security that will secure API from malicious actors.
5 Golden Rules of API Security
(1) Robust Authorization Mechanism
The authorization mechanism controls the resources and provides access only to users who have the right to access them.
Some of the mitigation techniques for preventing authorization vulnerabilities:
- define user policies to implement authorization techniques
- use random values for GUIDs
- log every action that requests data from the database
(2) Never Trust Client Input (Input Validation)
Implementing proper input validation ensures the mitigation of Injection vulnerabilities. Always sanitize the input whenever an application requires input from a user. Also, ensure no input is directly fed into queries like SQL, LDAP, etc.
(3) Logging Each Security Event
If logs are analyzed properly in real-time, 99 percent of security breaches may be avoided.
Some of the mitigation techniques for preventing big security incidents:
- It is highly recommended to integrate Security Information and Event Management (SIEM) system to analyze logs produce from the API system.
- Define rules and configure alerts, so that any anomaly or suspicious activities can be identified early.
- Always log all failed authentication events, and trigger an alarm to the user if more number of failed attempts are identified.
- Finally, install a log management solution and implement rules to identify any security incident.
(4) Use SSL/TLS
Always use encrypted layer transport while communicating data. Use the latest SSL/TLS protocol to secure in-transit data.
(5) Authentication Mechanism
Authentication verifies the credentials of a user and checks whether the user has an authentication right.
Authentication endpoints are the favorite spots of malicious actors as it is easily available and most rewarded if breached.
Some of the mitigation techniques for preventing authentication vulnerabilities:
- Always use standard practices for password storage, authentication token generation, etc. Do not try to implement yourself if standard and proven algorithms are available.
- Implement rate-limiting mechanisms such as a captcha/account lockout mechanism to avoid brute force against users and resources.
- Implement a multifactor authentication technique to increase a layer of security.
- Understand authentication flows and identify all possible mechanisms to authenticate in the application. Here, you can ask for help from developers.
Conclusion
Adopting best security practices is always helpful in mitigating API security issues. In the end, I will just say that implementing defense-in-depth mechanisms always secures the IT system against big attacks.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.