Understanding API Security
What is API Security?
API Security is a general term that refers to the practices and protocols designed to protect your API or Application Programming Interface. Security has a lot of elements, and is best thought of as a comprehensive strategy.
Effective security can grant huge benefits, reducing the likelihood of data breaches, unauthorized access, uncontrolled resource expenditure, and other risks, but it is also a significant balancing act. APIs work by sharing data across web applications and managing threats by unauthorized users while ensuring authorized users are not unnecessarily hampered, which is a universal challenge for security teams and software systems.
In this article, we'll look at some fundamentals necessary to enforce security, block attacks, and address weak points, all while ensuring legitimate users are supported and data exchange is facilitated.
API Security Fundamentals
Data Encryption
It's important to ensure that your data is secure, and the best way to go about this is to use adequate encryption. Encryption is the process of taking data and scrambling it in a way that only trusted users who can unscramble it can use that data. The more data you hold, the wider your attack surface, so ensuring you have adequate encryption from day one is a critical part of securing your application programming interfaces.
Data Encryption in Transit
APIs transit data from system to system and this data should be adequately secured during transit. Transport Layer Security, or TLS, is an industry standard solution that can be used to encrypt data as it's exchanged, ensuring protection from eavesdropping, tampering, and man-in-the-middle attacks. TLS is essential to protect sensitive data and ensure communication security.
Data Encryption at Rest
When data has been transferred, that data must be secured to ensure that any potential exfiltration is mitigated. In Cloud APIs, this is especially important as there's no real physical separation between data processing and storage. There are many solutions for encryption at rest, but you should consider how easy it is to maintain - security moves fast, and what's secure today may not remain secure forever.
Authentication and Authorization Mechanisms
Protecting sensitive data is as much about securing the data as it is about securing access, ensuring only authorized users can access critical information and functions. Accordingly, implementing proper access control policies is a vital step in setting a strong security posture. There are two types of access controls in this domain - authentication and authorization.
What is Authentication?
Authentication is making sure that a user is who they say they are. If a user says that they are an admin named AdminUser01, the system must ensure that this person is who they say they are. This can take a variety of forms, including the use of data and hardware keys or authentication tokens that establish the user is accessing the system in a way that is similar to how it has been accessed before. This can also include things such as passwords and other factors.
What is Authorization?
Authorization, on the other hand, is proving that a user has the right to access what they are trying to access. This can be accomplished through a variety of mechanisms, including role-based access control, object-level access control, and more. Broken object-level authorization is a very common issue, even in otherwise secure authorization implementations - this is a great example of the fact that authorization should be comprehensive and complimentary. Good enough in one area is not good enough for the whole system.
The good news is that there are many authorization solutions in the market, and open authorization standards such as OAuth offer a relatively plug-and-play solution at scale.
Multi-factor Solutions
It is important to remember that these mechanisms should not hinge on single points of failure. Authorization should take into account not just things a user might know, but things the user has, things the user is, etc. This is commonly referred to as multi factor authentication.
API Security Risks and Threats
Common API Security Threats
When discussing API security, we should consider the kind and breadth of exposures and security weaknesses. First, there are issues of authorization and authentication. These issues are faults where users are not properly controlled or vetted, and their access is unrestricted or not-as-stringently restricted, exposing data and functions.
Next, there is the general category of data integrity and process security. Injection attacks, such as SQL injections and cross-site scripting (XSS) issues, can be used to exploit vulnerabilities in APIs. Injection attacks utilizing user input and command injection can result in untrusted data and corrupted functions being used as an internal threat to gain access, bypass authentication, and undermine all the steps you've taken to protect APIs at scale. Man-in-the-middle attacks can be used to hijack interactions, infiltrating the system with otherwise legitimate traffic.
There are also major concerns with misconfiguration and vendor dependency. Misconfiguration can take the most secure implementation and make it fundamentally broken, rendering strong authentication effectively useless, and in many cases, this may not even happen by anything you have done - a poorly chosen vendor can be just as bad as an insecure implementation.
With so many risks, how can developers begin to form a plan for tackling this issue?
OWASP Top Ten
Luckily, The Open Worldwide Application Security Project, or OWASP, has put together a list called the OWASP Top Ten. While this list is not exhaustive, the OWASP API vulnerabilities list is nonetheless representative of the most common threats to which APIs are exposed.
The OWASP Top Ten divides the most common security issues into the following categories:
A01:2021-Broken Access Control
This category of security issues includes services that have broken access control, allowing users to access data without proper security systems standing in the way.
A02:2021-Cryptographic Failures
This is when cryptographic implementations are flawed, resulting in data exposure or - in serious cases - full system compromise.
A03:2021-Injection
Injection is when data is forced into the system through transit failure, poor sanitation, etc. Attacks of this kind can expose the underlying data and systems, and often comes from poor external vendor integration or sanitation procedures.
A04:2021-Insecure Design
This type of issues comes from poor design processes, including the implementation or poor development paradigms, codebase structures, and security design.
A05:2021-Security Misconfiguration
This is a broad category, but it is unfortunately very common. Poor configuration can lead to even powerful solutions being rendered basically ineffective, exposing data and creating additional vectors for attacks.
A06:2021-Vulnerable and Outdated Components
This refers to using outdated or unpatched software components with known vulnerabilities. Attackers can exploit these known weaknesses if not updated or patched promptly.
A07:2021-Identification and Authentication Failures
This used to be called "Broken Authentication," but this has also been expanded to include identification issues. This category covers issues where authentication mechanisms are improperly implemented, allowing attackers to compromise passwords, keys, or session tokens.
A08:2021-Software and Data Integrity Failures
This includes vulnerabilities that occur when software updates, critical data, or CI/CD pipelines are not verified, allowing attackers to inject malicious code or manipulate data.
A09:2021-Security Logging and Monitoring Failures
This category highlights the lack of proper logging, monitoring, and alerting mechanisms that can help detect security breaches. Without these, attackers can operate undetected.
A10:2021-Server-Side Request Forgery
SSRF vulnerabilities occur when an attacker is able to induce a server-side application to make HTTP requests to an unintended destination, potentially leading to unauthorized actions or information disclosure.
Secure API Design and Development
The best way to ensure you have a good security posture is to start early. Adopting some general processes for secure API design and development is a great way to ensure a culture of security.
Secure Coding Practices
Secure coding practices baked into the application development process itself, such as input validation and error handling, can help prevent common API security threats. Ensuring that all data entering the system has been vetted and sanitized can ensure that even attacks using what seems like valid traffic can be stopped in its tracks, preventing the abuse of your internal authentication and authorization systems.
Using secure protocols, such as HTTPS and TLS, can help protect data transmitted through APIs. This ensures your data is secure in transit and can be protected from man-in-the-middle attacks that might hijack the traffic for nefarious purposes.
Be Defensive
Approaching your system with defense in mind can help create a more secure implementation for your APIs. Rate limiting and quotas can help prevent denial-of-service attacks and abuse in ways that are often invisible to the average end user, giving you a strong defensive posture from day one.
Using JSON Web Tokens (JWTs) and other secure authentication mechanisms can help protect API endpoints. Pairing this with a Zero-Trust paradigm, where everything is validated and nothing is intrinsically trusted, can ensure that these systems are cross-validated and secured in their own context.
API Traffic Management and Monitoring
Managing API Traffic
A huge first step in securing your traffic is managing traffic generation. Managing traffic involves controlling and regulating the flow of requests and responses between APIs and clients, as well as using load balancers to prevent overload and distribute that traffic across services. This can prevent DDOS attacks, and other attacks focused on overwhelming the system.
Implementing caching and content delivery networks (CDNs) can help improve API performance and reduce latency. In doing this, attacks that focus on overwhelming systems and forcing errors can effectively be drastically reduced in efficacy, as the potential damage done by any one attack vector is mitigated.
Monitoring Traffic
Of course, it's not good enough to just manage the traffic - you also need to monitor the API events coming into the system. Monitoring traffic involves tracking and analyzing API requests and responses to detect security threats and performance issues.
Implementing real-time monitoring and alerting can help detect and respond to security incidents quickly. In essence, if your API is a secure stronghold, monitoring is a tower by which you can survey the land and ensure your stronghold is not beset by hidden enemies.
API Discovery
Part of making sure your APIs are secure is knowing that they exist. Of course, in an ideal world we would know of every API ever built within our company. However, the reality is that API inventories are not always accurate, which could lead to untested and potentially vulnerable APIs within your attack surface. This is where API discovery tools can come in handy to ensure that every API, including those created maliciously or forgotten by accident, is included in testing and API security efforts. Tools like StackHawk actually do this at the code level by searching code for hidden and unknown endpoints and then marking them to be tested, helping to improve security for all APIs hosted on the cloud or otherwise.
Cloud API Security Considerations
Cloud API Security Challenges
Cloud APIs come with their own specific risks and issues. Notably, Cloud APIs must be concerned with both the services themselves as well as the complex cloud environments in which they operate. To add another wrinkle, Cloud APIs often involve multiple stakeholders and third-party services, which can increase the overall risk and complexity of the security posture.
API protection in the cloud shares some common risks with web APIs such as broken user authentication, broken function level authorization, and other malicious attacks, but there are some unique risks arising from their dependence on external solutions: this can include everything from implementation flaws, shadow APIs and exposed APIs, leaked login credentials, data breach issues, and more.
Effective cloud security requires specialized measures, such as cloud-specific access controls and encryption to prevent malicious attempts to steal sensitive data or exploit implementation flaws, proper API lifecycle management to prevent deprecation and adoption issues, and a strong external API usage control paradigm.
Cloud API Security Best Practices
Cloud API security best practices include implementing cloud-specific security measures, such as cloud access security brokers (CASBs) and cloud security gateways. Implementing cloud native security controls, such as cloud-based firewalls, cloud-native web application firewalls, hybrid web firewalls, and intrusion detection systems, can help protect cloud APIs and protect applications.
Keep in mind that there are many standards and solutions that have evolved in the cloud environment. Cloud security frameworks and standards, such as the Cloud Security Alliance (CSA) and the Open Web Application Security Project (OWASP), can help ensure cloud API security, using time-tested approaches to protect sensitive information and data.
API Security Tools and Solutions
Choosing the Right API Security Solution
It is vital that you choose the right API security solution. Once you have data exposed, the cat is out of the bag, so it's important to get this right the first time. API security solutions include API gateways, security proxies, and cloud security services, and evaluating the features and functionality of API security solutions as a comprehensive solution can help ensure that you choose the right solution for your APIs, your environment, and your needs.
No one solution is inherently secure, so considering your security as a complete offering - while considering the scalability, performance, and cost of API security solutions - can help ensure that you choose a solution that meets your needs and budget.
StackHawk for Cloud API Security and API Discovery
Infrastructure is only one piece of the puzzle when it comes to deploying APIs in the cloud. At the code level, ensuring that applications are secure is also crucial. StackHawk's modern dynamic API and application security testing (DAST) platform allows developers to test locally or in CI/CD, allowing them to detect and remedy potential security issues lurking within their applications. Testing before the code can hit production servers running on the cloud is an essential first step in cloud API security. To try StackHawk out for yourself, sign up today for a 14-day free trial.
