API, short for Application Programming Interface, allows two or more programs and applications to interact with each other by using one set of protocols and defined rules. Currently, APIs are using by different IT systems both big and small covering mobile applications, web applications, IoT systems, etc. Approximate 85 percent of web traffic used APIs.

Most of the big companies including Google, Facebook, Spotify, Twitter, etc. using APIs in their services. Facebook, Spotify, Twitter, etc. are some of the companies that publicize the whole API documentation to help developers.

Types of API

  • SOAP - short for Simple Object Access Protocol. It is web API protocol that is simple but effective.
  • REST - short for Representational State Transfer. It comes with a characterstics of client server model, statelessness, caching etc.
  • GraphQL - query language for API with a advantage of retrieving all data in single request.

OWASP API Security Top 10 - 2019

OWASP is an open security community that releases security vulnerability types that are found more widespread in software and application. Below is the list of vulnerabilities type that is mostly found in API based applications and software:

API Security Issue Category
API1:2019 Broken Object Level Authorization
API2:2019 Broken User Authentication
API3:2019 Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting
API5:2019 Broken Function Level
Authorization
API6:2019 Mass Assignment
API7:2019 Security Misconfiguration
API8:2019 Injection
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging & Monitoring

This blog talks briefly about the five golden rules of API security that will secure API from malicious actors.

5 Golden Rules of API Security

(1) Robust Authorization Mechanism

The authorization mechanism controls the resources and provides access only to users who have the right to access them.

Some of the mitigation techniques for preventing authorization vulnerabilities:

  • define user policies to implement authorization techniques
  • use random values for GUIDs
  • log every action that requests data from the database

(2) Never Trust Client Input (Input Validation)

Implementing proper input validation ensures mitigation of Injection vulnerabilities. Always sanitize the input whenever an application requires input from a user. Also, ensure no input is directly fed into queries like SQL, LDAP, etc.

(3) Logging Each Security Event

If logs are analyzed properly in real-time, 99 percent of security breaches may be avoided.

Some of the mitigation techniques for preventing big security incidents:

  • It is highly recommended to integrate Security Information and Event Management (SIEM) system to analyze logs produce from the API system.
  • Define rules and configure alerts, so that any anomaly or suspicious activities can be identified much early.
  • Always log all failed authentication events, trigger an alarm to the user if more number of failed attempts are identified.
  • Finally, install a log management solution and implement rules to identify any security incident.

(4) Use SSL/TLS

Always use encrypted layer transport while communicating data. Use the latest SSL/TLS protocol to secure in-transit data.

(5) Authentication Mechanism

Authentication verifies the credentials of a user and checks whether the user has an authentication right.

Authentication endpoints are the favorite spots of malicious actors as it is easily available and most rewarded if breached.

Some of the mitigation techniques for preventing authentication vulnerabilities:

  • Always use standard practices for password storage, authentication token generation etc. Do not try to implement yourself if standard and proved algorithms are available.
  • Implement rate-limiting mechanism such as captcha/account lockout mechanism to avoid brute force against users and resources.
  • Implement multifactor authentication technique to increase layer od security.
  • Understand authentication flows and identify all possible mechanisms to authentice in application. Here, you can ask help from developers.

Conclusion

Adopting best security practices is always helpful in mitigating API security issues. In the end, I will just say that implement defense in depth mechanisms always secure the IT system against big attacks.