Lock: Securing a PostgreSQL API

Gartner estimates that by 2022, API abuse will move from infrequent to the most frequent vector attack. In a time where software is a company’s competitive edge, more and more companies are embracing APIs as a way to effectively integrate a variety of databases, systems and front-end user applications. With the amount of information shared between these APIs, it has become increasingly important to secure the data and user access to that information. Here, we’ll look at a few of the security challenges you may face in securing a PostgreSQL API and how to deal with them.

DreamFactory Hosted Trial Signup

Generate a full-featured,documented, and secure REST API in minutes.

Sign up for our free 14 day hosted trial to learn how.

Common PostgreSQL API Attacks

When it comes to exploiting PostgreSQL APIs, attackers have a variety of tactics at their disposal. Regardless of the technique used, the effects can be devastating.

Man In The Middle

Man in The Middle (MitM) attacks refer to a hacker intercepting communication between two parties. MitM attacks often target login credentials to gain unauthorized access to systems. These types of attacks are also used to steal personal information, spy on victims, or corrupt data.

Distributed Denial of Service Attacks

Not all attacks are about stealing information. A distributed denial-of-service (DDoS) attack disrupts normal traffic to a server. Attackers use this method to overwhelm the server with a flood of internet traffic. This malicious traffic sometimes consists of fake packets, incoming messages, or requests for connections to a PostgreSQL API.

SQL Injection Attacks on PostgreSQL APIs

PostgreSQL databases, much like many others, are subject to this type of attack. A SQL injection attack occurs when an attacker “injects” their SQL statements into the original application’s SQL code. The goal is to change the query’s original internet to gain access to the underlying server. This attack is also sometimes used to perform a DDoS attack. The DreamFactory platform prevents SQL injection attacks by adhering to the principles laid forth by the OWASP SQL Injection Prevention Cheat Sheet. The OWASP is a standard that outlines best practices on web security.

User Security Management: Less is Best

A recent report by Forrester Research estimates that at least 80% of security breaches involve privileged credentials. Privilege credentials refer to the authorization to bypass security methods. While it is important to grant APIs access to third parties, some discretion should be used. The recommended practice is to allow only the least privilege required to perform a specific action on the API. This principle is often referred to as the principle of least privilege (POLP). 

Benefits of Principle of Least Privilege (POLP)

POLP reduces the risk of attackers exploiting credentials to compromise sensitive information. This principle helps prevent compromises such as malware from spreading to other areas of the system. Additionally, POLP promotes better stability in the system. By employing this principle, the entire system’s availability will be minimally impacted, if at all.

Securing PostgreSQL APIs: The Role of JSON Web Tokens

JSON Web Tokens (JWT) represent a compact, lightweight and self-contained method for sharing information between systems using a JSON object. APIs recognize JWTs as trusted because they are digitally signed.

Authentication & Authorization

The most common use for a JWT is authentication and authorization. When APIs send a request, the receiving endpoint uses the information in the JWT to determine which routes, services, and resources are permitted with that token.

Information Exchange

JSON web tokens are an effective way for APIs to transmit information. They are digitally signed using public/private key pairs. Given that JWTs are self-contained units, they reduce network round trip time.

Role-Based Access in Securing a PostgreSQL API

Roles tie together end-user access to applications and services. Roles govern HTTP access to the REST API endpoints in DreamFactory. When an end-user authenticates and receives a JWT token, her role determines which API endpoints she can access.

Securing a PostgreSQL API With Single Sign-On

Single Sign-on (SSO) is a way to grant access to multiple systems using a single set of login credentials. SSO saves the user time as they no longer need to sign into multiple systems to accomplish their job.

Get started today to discover how you can implement SSO for your PostgreSQL API using DreamFactory. 

Authentication & Authorization in Securing a PostgreSQL API

Developers have access to a variety of protocols and methods for securing a PostgreSQL API. Each of the below methods work either independently or hand-in-hand to accomplish the same purpose: authentication and authorization.

OAuth

OAuth is a protocol for allowing unrelated servers to permit authenticated users to access each other’s data without sharing the initial login credentials. An example of this is when a user logs in to a website. That site may allow the user to sign in using their credentials from another website or service.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing is another HTTP method that permits systems to determine the level of access for each request. CORS works by adding HTTP headers to specify the appropriate permissions.

Active Directory

Active Directory refers to a directory service that defines users, groups, roles, authentication, and policy management. Authentication and authorization protocols use Active Directory to determine a user’s permissions.

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol for communicating with an active directory. LDAP is cross-platform, which makes it possible for systems built on different platforms to communicate. DreamFactory 2.0 has built-in support for Active Directory authentication over LDAP.

Create a free account to learn more about DreamFactory’s built-in support for Active Directory authentication over LDAP.

Security Assertion Markup Language (SAML) 

SAML is a markup language that allows identity providers to share information with service providers. This approach removes the burden of performing authentication from the service provider. Authentication is handled by an identity provider who performs authentication and passes that information to the service provider. SAML is one method of implementing SSO.

DreamFactory Hosted Trial Signup

Generate a full-featured,documented, and secure REST API in minutes.

Sign up for our free 14 day hosted trial to learn how.

Securing a PostgreSQL API with DreamFactory

Today companies must contend with ever-growing security threats to their APIs. A lapse in any area could expose sensitive customer information, ruin a company’s reputation and ultimately impact revenue. DreamFactory provides a comprehensive catalogue of tools to help secure your PostgreSQL API. Get started with a free account now to learn how DreamFactory helps businesses remain agile by providing a suite of ready-made APIs so developers can focus on creating APIs that delivers business value.

Related reading:

Using Windows SSO with DreamFactory