API Tools & Security System
API Security Is A Growing Concern
As the world around us becomes more and more connected via internet connections, the need to build secure networks grows infinitely. APIs continue to be an integral business strategy across industries, and it doesn’t appear to be slowing down anytime soon, especially with the rise of IoT.
The number of public APIs listed on apihound hovers around 50,000, while the number of private APIs is assumed to be more than the number of public APIs.That’s a lot of data being passed over the web, some if it being incredibly sensitive.It seems like at least once a week we hear about another company getting hacked, and having thousands of user’s information exposed. Consumer’s patience with lax security is wearing thin.
Always Assume Everyone Wants Your Data
All APIs are not created equal, and not all vulnerabilities will be preventable. An API that is gathering weather information does not need to take the same precautions as an API that is sending patient’s medical data.
However, a good rule of thumb is to assume that everyone is out to get your data. Think about it as being the doomsday prepper for your API. If you prepare for the worst-case scenario, anything else that might go wrong will be handled with ease.
Authenticate First Make sure that you authenticate at the web server before any info is transferred.
- - Authentication is used to reliably determine the identity of an end user.
- - Authorization is used to determine what resources the identified user has access to.
- - On the web, authentication is most often implemented via a dialog that prompts for username and password. For added security, software certificates, hardware keys and external devices may be used.
- - Once the user is authenticated, the system decides which resources or data to allow access to.
- - For APIs, it is common to use some kind of access token, either obtained through an external process (e.g. when signing up for the API) or through a separate mechanism (e.g. OAuth).
- - The token is passed with each request to an API and is validated by the API before processing the request. Alternatively, the dialog method may be used.
- - The best solution is to only show your authentication key to the user once. It’s their responsibility to hold that key near and dear. You wouldn’t trust someone who kept losing the spare keys you gave them, would you?
Why Are You Still Using HTTP?
Encryption is generally used to hide information from those not authorized to view it. On the Internet, often SSL is used to encrypt HTTP messages, sent and received either by web browsers or API clients.
A limitation of SSL is that it only applies to the transport layer. Data that also needs protection in other layers require separate solutions.
Signatures are used to ensure that API requests or response have not been tampered with in transit. The message itself might be unencrypted, but must be protected against modification and arrive intact.
Encryption and Signatures are often used in conjunction; the signature could be encrypted to only allow certain parties to validate if a signature is valid - or the encrypted data could be signed to further ensure that data is neither seen or modified by unwanted parties.
Know Your Vulnerabilities
The area of security vulnerabilities is a diverse field. There are many different attacks with different methods and targets. One way to categorize vulnerabilities is by target area:
- Network / OS / Driver: issues in the operating system and network components (e.g. buffer overruns, flooding with sockets, DOS attacks)
- Application layer: issues in the hosting application server and related services (e.g. message parsing, session hijacking or security misconfigurations)
- API / component: functional issues in the actual API (e.g. injection attacks, sensitive data exposure, incomplete access control)