APIs, which stands for Application Programming Interfaces, have been powering most of our modern digital solutions for a while now. From social network communication to financial transactions, checking weather forecasts and traffic congestion, APIs work behind the scenes to give us valuable insights and execute critical transactions.
APIs are also getting more ubiquitous, with one recent report revealing a massive 321% increase in overall API traffic over the last 12 months. But this increased usage has also seen a corresponding rise in cyber threats, with API attacks rising 681% in the same time frame.
What are APIs?
An API is a software that allows two distinct applications to communicate with each other. One application delivers a request to another application and receives a response to carry out its specific tasks. The APIs will have defined functionalities that are independent of their implementation and form the building blocks in developing software.
Put simply, an API is a way for two software systems to interact with each other.
For example, consider an app that lets you search for flights. After you enter your options and click on the “book” button, the app still has to check in the airline’s database for seat availability and costs. The application is able to pull this data from the airline’s API and return it to you to continue with your booking.
What are the mainstream API Protocols?
In order for APIs to enable interaction between systems, it has to exchange data and specific commands. This exchange is governed by a set protocols and architectures which can vary depending on the individual use case. Some of the more mainstream API protocols include:
- REST (Representational State Transfer) architecture: One of the most popular protocols, REST works by separating the front and back ends of the API. It is also “stateless”, which means no data or status is stored in between requests. APIs built on REST are known as “RESTful APIs”.
- SOAP (Simple Object Access Protocol): This is a standard generally used to create web APIs and supports various internet protocols such as HTTP, SMTP and TCP. It is more structured, controlled and defined than RESTful APIs.
- gRPC (Google Remote Procedural Call): An open source framework developed by Google, capable of running in most environments. Its uniqueness lies in the ability for developers to define their own custom functions.
- GRAPHQL (Graph Query Language): Developed by Facebook. GRAPHQL queries data from the server like database query languages. Since only the data that is explicitly requested is retrieved based on the query requests, instead of importing entire packages, it saves time and resources.
What is API Security?
API security involves measures and solutions to help protect the integrity of APIs and prevent malicious attacks. It involves processes that investigate and mitigates the security risks and vulnerabilities in APIs.
If APIs are left unsecured, it can be exploited by hackers to steal sensitive data, crippling organizations financially and through reputational damage. Various techniques are used in API security including rate limiting, authentication and authorization. But beyond these techniques it also requires enterprises to adopt a culture of security, which covers the entire software development and API workflow.
Why is API Security Important?
API security has become a critical part of cybersecurity today, primarily because of their extensive usage in web and mobile applications, and SaaS products. These applications can be found in most fundamental use cases in banking to retail, entertainment, healthcare and even transport. The applications that rely on APIs also involve a lot of customer-facing portals and collection of sensitive data including Personally Identifiable Information (PII).
To complicate matters more, most businesses are shifting to cloud-based storage and computing for these applications. While this does make the applications accessible from anywhere and any device, they also suffer from cloud computing security challenges, as the APIs can be a way for hackers to exploit authentication and breach networks. This makes API security an essential requirement for businesses
What are different methods of API authentication？
Businesses can rely on a few methods of API authentication to enforce security. These include:
Open Authorization (0Auth)
OAuth is an open standard that allows third-party services such as Facebook or Twitter to take an end user’s account details without exposing sensitive fields like passwords. It essentially provides an intermediary service to the end user, by giving the service an access token that confirms that the user has authorized the sharing of the account information.
Multi-factor Authentication (MFA)
MFA is a form of authentication that requires more than one method of verifying a user’s credentials. For example, in addition to a password, this method also requests for a passcode sent to the user by email or text message which has to be confirmed before proceeding with the authentication.
Transport Layer Security (TLS)
TLS is a widely-used security protocol that provides authentication, privacy, and data integrity between two applications that communicate with each other. It is used for web browsers and applications that involve secure exchange of data over a network such as during a browsing session, transfer of files, voice over IP (VoIO) communication and more.
Security Assertion Markup Language (SAML)
SAML is another open standard used for secure sharing of data involving user identity, authentication and authorization. It is implemented with the Extensible Markup Language (XML) standard and provides a framework for single sign-on (SSO) implementations.
What are The Top API Security Threats?
With the increased usage of APIs, coupled with evolving sophistication of cyber attacks, businesses have to watch out for a variety of API security threats. The Open Web Application Security Project (OWASP), an online community that provides information and resources for cybersecurity practitioners listed the Top 10 API security threats in 2019, which included the following:
Broken User Authentication
These threats arise when authentication mechanisms are implemented incorrectly. This allows attackers to compromise authentication tokens or to exploit implementation flaws to assume other users’ identities, thereby compromising the API security.
Injection flaws occur in instances where untrusted data is sent to an interpreter in a query. These can involve attacks such as SQL, NoSQL, Command Injection which trick the interpreter into executing commands or accessing data without proper authorization.
Broken Object-Level Authorization
When you have functions that take in user input to access a data source using an API, it can expose the endpoints to attacks. These functions need to incorporate authorization at these object-levels to prevent the endpoints from being targeted.
How Does API Security Work?
API security works by enforcing the key elements of authentication and authorization. First, authentication is requested to verify that the identity of the client application is safe and that it has permission to use the API. After this, the application has to pass authorization, which determines what data and actions it can access while interacting with the API.
API Security Best Practices
Since APIs involve communication between applications, which often take in user input to retrieve sensitive data, they can be targeted by different types of man-in-the-middle attacks. To prevent this, you should follow these essential API security best practices.
Look for vulnerabilities
Identify weak points in your API lifecycle and look for specific vulnerabilities that can be exploited by signature-based attacks like SQL injections. Following standard vulnerability scanning techniques can be helpful in discovering these weak points.
Use tokens for access control
Security tokens can be another way to protect APIs. These work by requiring the authentication of a token before access can be granted, and any program or user that fails the authentication will be rejected.
Use encryption in API communication
Encryption is a tried-and-tested security practice which ensures that only the program or user with the right key can decipher a communication. It protects APIs by ensuring that the data is unreadable to unauthorized users who do not possess the key.
Set quotas and throttling
Throttling and quotas are effective against attacks such as Distributed Denial of Service (DDoS) attacks which aim to overwhelm a system by sending large quantities of data. These quotas restrict the speed of data transfer and thwart DDoS attacks and keep your systems functioning normally.