by Susanna Bouse
• August 25, 2020
Cyber security is one of the most prominent and pressing concerns for businesses today. The 2017 Equifax breach was one wake up call, costing more than $400 million and endangering the data of roughly 147 million people, all due in large part to poor API security.
This has encouraged many to put a stronger focus on securing their APIs from such vulnerabilities. However, companies are still far from where they should be when it comes to API security. What are some essentials that you should put into practice to adequately protect your clients’ data?
This article will explore some common security risks, API security essentials and best practices, and finally some of the top API security tools.
API security is a broad topic that includes two main categories: REST vs. SOAP security.
REST (Representational State Transfer) is a architectural style for software, meaning a set of rules that developers follow in order to be REST compliant. RESTful APIs are the most common type.
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example MySQL database provided to you as part of the trial!
Create a REST API Now
SOAP (Simple Object Access Protocol) is a messaging protocol, so it is in a different category than REST. It is less commonly used, but it is still a strong option thanks to its built-in security measures.
The purpose of REST API security is to prevent unauthorized access to important data and processes. It generally relies on API keys or OAuth (Open Authorization), which are competing solutions for securing APIs from attacks. OAuth uses security tokens instead of passwords, while API keys are codes used to confirm the identity of the user requesting access. Additionally, both SOAP and REST can use HTTPS (Hypertext Transfer Protocol Secure) over HTTP for additional security.
One study revealed that companies on average are currently managing over 350 APIs, many of which will have inadequate security measures. Meanwhile, companies lose millions every year to vulnerabilities in APIs and other cyber security concerns.
Around 50% of B2B interaction takes place through APIs, and APIs also have a strong effect on the client experience. This means that APIs are handling a significant amount of client and business data, making adequate security even more essential.
That is why DreamFactory helps businesses to secure their API solutions. We build and monitor secure RESTful APIs and aid you in protecting clients’ data through improved API security.
There are some security concerns that are unique to APIs, including poor coding, CSRF (Cross-Site Request Forgery) attacks, man-in-the-middle attacks, XXS (Cross-Site Scripting) attacks and finally injection attacks.
REST APIs do not have the same strict standards of SOAP, meaning that they are more susceptible to this problem. Poor coding can easily make a REST API vulnerable to hackers who are looking for the kind of opening this provides.
Poor coding may simply mean that your web service is easy to break, or it may mean that important security measures are lacking and an unauthorized user can access essential data.
A CSRF attempts to trick users into performing an action that may aid the attacker in stealing data, passwords, etc. This action may be changing an account setting or password, among other things. If this attack is successful with someone who has full access to the application, then it will compromise the application itself.
MITM attacks, also known as hijack attacks, are where a user is trying to communicate legitimately with a second party or platform and an attacker hacks, blocks or otherwise interrupts the line of communication without the victim being aware. The user then sends their credentials or other important information to the hacker instead of its intended destination.
A Cross-Site Scripting attack is a client-side attack. The attacker injects a malicious script through an application into a website.
There are various types of injection attacks, but all involve malicious input into a program or service. Injection flaws permitting this type of attack are a common problem in APIs.
API security is a complicated business, but there are some things that you can implement relatively easily.
While you can use either HTTP or HTTPS with APIs, it is strongly recommended that you always use HTTPS. HTTPS provides an added layer of security through encryption. HTTP offers absolutely no encryption, meaning that anyone who gains access to the service can read the data.
Using API frameworks or templates can also be an excellent way to ensure that you are adhering to the best of security. There are many open-source or paid options for REST API frameworks. These will often have security measures built in.
SSL is a cryptographic protocol. An SSL (Secure Socket Layer) certificate encrypts the connection between the server and browser with two keys. The first is a public key and the second is a private key. In addition to aiding security, an SSL certificate also has some influence on Google rankings.
TLS (Transport Layer Security) is a newer and improved protocol for the same purpose. It has improved measures to protect against additional types of attacks, such as Cypher Block Chaining attacks.
SSL relies on MAC (Message Authentication Code), while TLS relies on HMAC, the hash-based message authentication code.
There are many free and commercial options available to improve API security within your business. Just a few of these are security testing frameworks, OWASP and API management platforms.
API security testing frameworks are commonly open-source, or you can use open-source tools to build your own. Developers have built these as solutions for regular testing of your API.
It is often necessary to test your API for vulnerabilities or potential problems. Some common tests used for this purpose are fuzz testing, injection testing and penetration testing. These can help discover a potential for DDoS attacks (Distributed Denial of Service), as well as injection attacks, XSS attacks and CSRF attacks, among others. They can either determine what response the web service will make to such an attack or reveal poor coding that would enable loss of data.
A security testing framework is reusable, meaning that you can test your API on a regular basis. This makes it much more likely that you will discover a vulnerability prior to an attack, saving perhaps millions of dollars in the long run.
One example of this in action is the Metasploit framework. Metasploit offers a penetration testing software for APIs. It is open-source, meaning that you can view the source code on GitHub and use the free version. Alternatively, you can use Metasploit Pro.
OWASP, the Open Web Application Security Project, is a top resource for any company managing APIs. Besides an incredible knowledge base, OWASP offers various services to help with security.
OWASP offers testing guides, an Application Security Verification Standard (ASVS) as a framework for better API security and much more. All of this is open-source.
OWASP intends for companies to use its resources as guides and metrics to determine the current level of your security and additionally improve security in development.
One example of this in action is the OWASP Top 10 Security Vulnerabilities, which more than a dozen companies have repeated and shared as the framework by which they identify the most serious threats to their APIs.
Selecting the right API management platform for you may be the best solution of all, since they can perform much more than just security. An API management platform can also build and monitor APIs for your company.
An API management platform helps to standardize security, connect and monitor your APIs and perform API rate limiting.
Connecting with a managed API-as-a-service platform will enable you to improve your security drastically.
One example of this in action is of course the DreamFactory platform. We offer full REST automation so that you can deploy secure APIs without having to write a single line of code.
By now, you may have a pretty good idea of how complex API security can be. There are so many different types of attacks and vulnerabilities that it can be a great struggle to maintain client data in safety, and as companies fall behind in security they lose money and the trust of their customers.
DreamFactory helps bring improved security with a minimum of time and effort on the part of your business. We offer instant API creation, logging and reporting, SQL support and, of course, comprehensive security. To learn more about what an API management platform can mean for your business, contact DreamFactory today and start your free trial.
Join the DreamFactory newsletter list.