Keys and OAuth

API security: 12 essential best practices

API security_12 essential best practices

API security should never be taken for granted. With the increasing demand for data-centric projects, companies have quickly opened up to their ecosystem through SOAP or REST APIs.

Application Programming Interfaces (or APIs for short) are the doors to closely guarded data of a company. They’re extremely useful because they allow two different applications to communicate.

On the surface, this is great because they make life much easier for developers, but at the same time, it creates the following challenge: How can we keep the doors open for the API ecosystem and sealed off from hackers at the same time?

There are ways you can do it and strategies that you can employ to reap the benefits that APIs offer while keeping all of your data safe. So, let’s go over some API security best practices. Here are 12 simple tips to avoid security risks and secure your APIs.

1. Encryption

Be cryptic. Nothing should be in the clear for internal or external communications. Encryption will convert your information into code. This will make it much more difficult for sensitive data to end up in the wrong hands.

You and your partners should cipher all exchanges with TLS (the successor to SSL), whether it is one-way encryption (standard one-way TLS) or, even better, mutual encryption (two-way TLS).

Use the latest TLS versions to block the usage of the weakest cipher suites.

2. Authentication

Don’t talk to strangers. In simple terms, authenticity is real. It means something (or someone) is who they say they are. In the digital world, authentication is the process of verifying a user’s identity. It essentially pulls off the mask of anyone who wants to see your information.

So, you should always know who is calling your APIs. There are several methods to authenticate:

  • HTTP Basic authentication where a user needs to provide user ID and password
  • API key where a user needs to a unique identifier configured for each API and known to API Gateway
  • A token that is generated by an Identity Provider (IdP) server. OAuth 2 is the most popular protocol that supports this method.

At the very least you should use an API key (asymmetric key) or basic access authentication (user/password) to increase the difficulty of hacking your system. But you should consider using OAuth 2 as your protocol of choice for a robust security of your APIs.

3. OAuth & OpenID Connect

Delegate all responsibilities. A good manager delegates responsibility, and so does a great API. You should be delegating authorization and/or authentication of your APIs to third party Identity Providers (IdP).

What is OAuth 2? It is a magical mechanism preventing you from having to remember ten thousand passwords. Instead of creating an account on every website, you can connect through another provider’s credentials, for example, Facebook or Google.

It works the same way for APIs: the API provider relies on a third-party server to manage authorizations. The consumer doesn’t input their credentials but instead gives a token provided by the third-party server. It protects the consumer as they don’t disclose their credentials, and the API provider doesn’t need to care about protecting authorization data, as it only receives tokens.

OAuth is a commonly used delegation protocol to convey authorizations. To secure your APIs even further and add authentication, you can add an identity layer on top of it: this is the Open Id Connect standard, extending OAuth 2.0 with ID tokens.

4. Call security experts

Don’t be afraid to ask for (or use) some help. Call in some security experts. Use experienced Antivirus systems or ICAP (Internet Content Adaptation Protocol) servers to help you with scanning payload of your APIs. It will help you to prevent any malicious code or data affecting your systems.

There are several security APIs you can use to protect your data. They can do things like:

  • Integrate two-factor authentication
  • Create passwordless login, or time-based one-time passwords
  • Send out push alerts if there’s a breach
  • Protect against viruses and malware
  • Prevent fraud
  • Let you know if a password is a known password used by hackers
  • Add threat intelligence
  • Provide security monitoring

The best part is that some of these antivirus systems are free to use. Others offer monthly plans. Premium plans will provide more protection, but you can decide for yourself the type of security you need.

5. Monitoring: audit, log, and version

Be a stalker. Continually monitoring your API and what it’s up to can pay off. Be vigilant like that overprotective parent who wants to know everything about the people around their son or daughter.

How do you do this? You need to be ready to troubleshoot in case of error. You’ll want to audit and log relevant information on the server — and keep that history as long as it is reasonable in terms of capacity for your production servers.

Turn your logs into resources for debugging in case of any incidents. Keeping a thorough record will help you keep track and make anything that’s suspicious more noticeable.

Also, monitoring dashboards are highly recommended tools to track your API consumption.

Do not forget to add the version on all APIs, preferably in the path of the API, to offer several APIs of different versions working and to retire and depreciate one version over the other.

6. Share as little as possible

Be paranoid. It’s OK to be overly cautious. Remember, it’s vital to protect your data.

Display as little information as possible in your answers, especially in error messages. Lock down email subjects and content to predefined messages that can’t be customized. Because IP addresses can give locations, keep them for yourself.

Use IP Whitelist and IP Blacklist, if possible, to restrict access to your resources. Limit the number of administrators, separate access into different roles, and hide sensitive information in all your interfaces.

7. System protection with throttling and quotas

Throttle yourself. You should restrict access to your system to a limited number of messages per second to protect your backend system bandwidth according to your servers’ capacity. Less is more.

You should also restrict access by API and by the user (or application) to ensure that no one will abuse the system or anyone API in particular.

Throttling limits and quotas – when well set – are crucial to prevent attacks coming from different sources flooding your system with multiple requests (DDOS – Distributed Denial of Service Attack). A DDOS can lock legitimate users out of their own network resources.

8. Data validation

Be picky and refuse surprise gifts, especially if they are significantly large. You should check everything your server accepts. Be careful to reject any added content or data that is too big, and always check the content that consumers are sending you. Use JSON or XML schema validation and check that your parameters are what they should be (string, integer…) to prevent any SQL injection or XML bomb.

9. Infrastructure

Network and be up to date. A good API should lean on a good security network, infrastructure, and up-to-date software (for servers, load balancers) to be solid and always benefit from the latest security fixes.

10. OWASP Top 10

Avoid wasps. The OWASP (Open Web Application Security Project) Top 10 is a list of the ten worst vulnerabilities, ranked according to their exploitability and impact. In addition to the above points, to review your system, ensure you have secured all OWASP vulnerabilities.

11. API firewalling

Build a wall. For some people, building a wall can solve all the immigration problems. This is the case, for APIs at least! Your API security should be organized into two layers:

  • The first layer is in DMZ, with an API firewall to execute basic security mechanisms like checking the message size, SQL injections, and any security based on the HTTP layer, blocking intruders early. Then forward the message to the second layer.
  • The second layer is in LAN with advanced security mechanisms on data content.

The more challenging you make it for cyber attackers to get at your information, the better.

12. API Gateway (API Management)

Gateway to heaven. All the above mechanisms are long to implement and maintain. Instead of reinventing the wheel, you should opt for a mature and high-performing API Management solution with all these options to save your money, time, and resources and increase your time to market. An API Gateway will help you secure, control, and monitor your traffic.

In addition to helping you secure your APIs easily, an API Management solution will help you make sense of your API data to make technical and business decisions: the key to success!

Now you know more about the basic mechanisms to protect your APIs! Have fun securing your APIs, hopefully with a great API Management solution.

Don’t take API security for granted

It’s unfortunate, but internet threats abound, and hackers are relentless. Implementing a solid API security plan is critical to protecting your information. Crucially, the ultimate best practice is to build API security into the general mindset and process of how APIs are designed and developed.

Axway’s Amplify API Management Platform makes it easier than ever to secure your digital experiences. It not only monitors and protects your API, but you’ll also have all of the information you need in one place. It’s visible and easy to read. You’ll never be vulnerable to cyber attacks, allowing you to focus on what you need to get done.

And if you combine the right technology with a more deliberate process, building security into the design process from the start, you can uncover and address security threats before they arise.

Learn more about how an open platform fortifies security in a world of rapidly evolving cyberattacks.