5 Steps to Strengthen API Security
API misconfigurations and the attacks they attract occur more regularly than you might anticipate. Strengthen your API security using these best practices.
APIs are the connective tissue of scalable websites — fundamental to functioning in today’s digital world. But much like the physical world, weaknesses in connections and associated protocols can result in significant, sometimes existential, trouble.
A recent instance includes data leaks that stemmed from the misconfiguration of Microsoft Power Apps portals to enable public access. When examining this case, UpGuard found that the type of data varied between portals, and even included personal information that was used for COVID-19 contact tracing and COVID-19 vaccination appointments — as well as Social Security numbers, employee IDs, and millions of email addresses and names.
The operators of those portals aren’t alone. API misconfigurations and the attacks they attract occur more regularly than one might anticipate. As a Salt Security report found, 94% of the nearly 200 enterprise security officials surveyed said their organization experienced an API security incident in 2020. The report also uncovered a 348% increase in malicious API traffic over six months, highlighting how attackers are focusing their attention on data access.
OWASP also started a separate “OWASP API Security Top 10” in 2019 to monitor API weaknesses. APIs represent a ready method to access data exposed by an organization, some APIs are intended for public use, while others are intended for use solely by applications and web services within an organization. Regardless of usage, APIs are constructed to provide direct data access, which is why explicitly testing to ensure an API doesn’t return excess data or allow authorization bypasses is crucial. In the BSIMM12, activity ST2.6 covers fuzz testing of APIs, but only 12% of organizations were found to be performing this activity.
To change this API narrative for the better, the following five best practices can be used to strengthen API monitoring and protection.
1. Know What You Have So You Can Keep It Protected
While it may be considered a cliché, it’s true — when it comes to security, you can’t protect what you don’t know you have. This is the problem with far too many APIs. Code may not be formally documented in a way that humans or machines can accurately digest. This can lead to it not getting tested.
In order to address this and ensure you know what you have:
- First, build an inventory of your API-based application assets.
- Next, you’ll want to prioritize them by risk level based both on business impact and data usage.
- Once assessed by risk level, it’s time to find API endpoints for those assets.
- To preserve your API inventory, you’ll also want to track automated deployments.
- Lastly, you’ll want to simplify issue detection through automation via security tools and services.
Identity and access management (IAM) is a standard security practice, but when it comes to APIs, the focus should be on how users authenticate with the API and how API authorization segments or scopes the data provided by the API. Luckily, there are many ways to go about this, the key being to track a user through the system. It’s critical that each method within an API is developed with an understanding of user authentication and what the minimum dataset for the activity implemented by the method might be.
2. Understand Data Validation and Trust Your APIs
APIs validate the requested data they receive from a data consumer and determine whether or not it is malformed. If it is malformed, will the requested data be validated?
Similar to web applications, conducting input validation is essential for APIs. An application that uses public APIs accepts the risk of a man-in-the-middle attacker that could modify the data returned by the API or modify the data presented to the API on its behalf. This is why an API must know what to do when presented with malformed data. The validation process here is a bit different — while the values of parameters need to be checked, API data is often a part of a data schema which means each parameter could have meaning relative to the remainder of the data. This is why you need validation at the schema level versus solely in the data element or parameter level.
3. Don’t Overlook the Cryptography
Ensuring data at rest and in transit is encrypted in a secure manner as and when needed is vitally important, and should go without saying. This includes implementing expiration semantics for items like the AuthZ JSON Web Tokens, request forgery tokens, or validating various cryptographic signatures and certificates used during authorization and by message encapsulation protocols.
4. Avoid Misconfiguration
Deploying an API in a cloud environment or with containers can weaken efforts put into securing your APIs. If you plan to select one of those deployment environments, make sure that they are configured securely. Even the most securely developed application can be weakened by poor deployment practices, and APIs are no different. API security misconfiguration can include a variety of things such as unpatched systems, unprotected files, and directories, unhardened images, missing, outdated, or misconfigured TLS. In fact, OWASP API Top 10 categorized API misconfiguration as API7:2019.
5. Ensure Active Monitoring/Alerting
Successfully monitoring your APIs and ensuring an effective alert system requires several key areas of focus, including:
- Examine the content: Perform application-layer scanning. This will help monitor for someone trying to use SQL injection or another HTTP-based attack. Having a clear understanding of how you are examining traffic coming into your API is essential, but traffic monitoring must also include processes to identify anomalies.
- Bot/attack detection: Ensure that controls are in place or baked into your APIs to protect against common attack techniques. It’s critical to also be able to identify automated attacks conducted by bots, including brute force attacks.
- Data throttling: Have a strategy in place on how you will limit API usage for rogue API clients. Excess traffic might not be malicious, but if it impacts operations, your customers will care.
- Build an audit and trace program: Put in place a tactical auditing process, including auditing logs and meaningful activity alerts. The program should be able to clearly identify the source of any findings such that corrective action is taken.
Security should be built into your software, and applying these concepts it will help to ensure a deeper understanding of your APIs and the role they play in your software.