Top 5 API Security Best Practices for 2021
This is a guest post written by Subho Halder, co-founder and chief information security officer at Appknox.
With APIs being the new norm in the modern software development era, a rise in security concerns related to APIs is also inevitable. Gartner predicts that by 2022, API security will be the topmost cause of concern for enterprises working with web applications. In fact, the notorious Equifax data breach of 2017 that led to the exposure of more than 150 million user records happened as a result of API vulnerability.
Attacks like these and many others are pushing business owners and developers to understand the risks associated with API security and do everything possible to safeguard critical business resources. So, let’s explore some major API security concerns of 2021—and learn how to mitigate them.
Key API security challenges organizations face today
Given the critical role played by APIs in exposing the business functionality between applications and devices, their vulnerability to security threats is also a major point of concern. Here are some of the key challenges when it comes to API security:
- Increase in API abuse: There has been a constant increase in the number of cyberattacks and data breaches occurring due to insecure APIs.
- Traditional security solutions: The complexity of APIs is continuously increasing, and so they are also exposed to more sophisticated attack vectors. This means traditional API security solutions are less ineffective in such scenarios.
- Dynamic business environment: With increasing market competition, business owners are introducing new functionalities in their products at a much faster rate—so, new APIs are being utilized on an ongoing basis. This also means that businesses have to adapt quickly to changing security requirements as well.
- Complex application architectures: As the application architectures become increasingly complex, the nature of API security also becomes more and more extensive. The number of security hotspots has increased and it is becoming difficult to secure each and every one of them.
Common API security threats
Here are some of the most common API security threats today.
Man in the Middle Attack (MITM)
In order to obtain sensitive information between two parties, which entails secretly intercepting or altering communications, a Man in the Middle (MITM) attack is used. For example, an attacker called a “man in the middle” between a user’s browser and an API issues a session token into an HTTP header. The same session token, when intercepted, would result in granting access to the user’s account that can include personal details such as login credentials or credit card information.
API injections (XSS and SQLi)
During a code injection attack, malicious codes such as SQL injection (SQLi) and cross-site scripting (XSS) are inserted to stage an attack into vulnerable APIs. Also, API messages may become malicious because of the insertion of unwanted commands, such as SQL commands that can delete tables from databases.
Distributed denial-of-service (DDoS)
In case of a DDoS attack (or a distributed denial-of-service attack), a number of web servers are used to flood the resources or bandwidth of a targeted system. Apart from flooding its capacity with concurrent connections by sending large amounts of information in each request, a DDoS attack on a web API tries to manipulate and overwhelm its memory as well.
Sensitive data exposure
A data exposure attack may take place because of the exposure of sensitive data. This kind of sensitive data exposure takes place when sensitive data is improperly secured and APIs are returning excessive data in response to client requests. Session tokens, passwords, private health information, and credit card information can become more vulnerable to these attacks.
Parameter tampering is mostly about the manipulation of parameters that are exchanged between server and client that are concerned with modifying application data, like permissions and user credentials, along with quality, quantity, and price of products. This kind of information is usually stored in cookies, URL query strings, or hidden form fields, and is further used for amplifying the functionality of applications and their control.
Broken access control
Access control or authorization is the method by which access to certain contents and functions of the software is provided to a certain group of people rather than everybody. Attackers can gain unauthorized access to user accounts and user privileges when access control becomes inadequate or goes missing due to an API vulnerability. One of the well-known consequences of broken access control is declined access and access privilege alteration, which is one of the major crafts of attackers.
Top 5 API security best practices
Here is how you can keep your APIs safe by following a simple set of best practices in 2021 and beyond.
1. Focus on authorization and authentication
Developers need to take a vibrant approach in order to secure their code and keep API vulnerabilities at bay. This process begins by building a solid authentication framework that helps to check whether a person is authentic and remains who they are under all circumstances. Biometric solutions—like fingerprints and face scanning—are some of the advanced ways enterprises are moving from simple password systems to multi-step authentication approaches. In these cases, once the person gets authenticated, some kind of high-level authorization check needs to be passed by them in order to gain access to several types of information.
2. Secure backend data as well as frontend data
A large amount of time is already spent by enterprises securing information available on the frontend, but the chances that attackers get access to their system via backend resources still remain high. Under these circumstances, another checkpoint needs to be set up to safeguard the backend data; security threats can be minimized if data is prevented from being stolen through the backend servers. This is another example of how you can thwart attackers on the way out if you miss a crook on their way inside your system.
3. Secure the request-response lifecycle through validation
One of the most common attack surfaces is in the space that is validated between the API request and the response. To maximize security on this front, you need to have high-level security controls that include strong validation checks along with a swift rejection of pertaining requests. These kinds of checks can be supplemented with informative error messages for potential users, along with examples that support the input of data in a correct manner.
4. Hash passwords
You never want to encounter a situation where an attacker gets access to passwords through some API vulnerability. The best solution to avoid this problem is to hash all the passwords before making them accessible to APIs. Hashing passwords saves a scrambled version of the password into the system, not the actual password. This helps prevent a malicious agent from getting access to a password and protects passwords from getting “unscrambled.” This is also one of the major techniques through which any other sensitive information accessible to your API is preserved.
5. Limit access to users based on their roles
Setting up multiple layers of authentication while designing your APIs will prevent unauthorized users from bypassing the system and gaining access to sensitive data resources. Limiting access based on roles also ensures that only the right person with adequate permissions can access and modify the API resources.
API security from start to finish
To maintain API security best practices, following a dedicated approach will go a long way. Businesses must rely on conducting routine API audits to keep security threats at bay and improve the overall development process. These audits may also prove beneficial in preventing threat agents like malicious bots from breaking into the systems.
API usage is on a constant rise and there is no doubt that they are empowering organizations around us to make more dynamic and accessible products. This increase in volume and velocity of API-dependent applications means that businesses must now take API security more seriously. The need of the hour is to establish development pipelines that consider API security right from the start—and continue following the best practices to prevent and mitigate all potential threats.
Technical review by Kin Lane.