Have you ever stopped and evaluated the security of your APIs?
In this article the approach is on how this resource has facilitated the implementation of solutions, bringing also some risks to application security.
Get to know why it is important to evaluate API security, learn the main points that must be observed to keep them safe.
API Security: why thinking of it?
The adoption of APIs has become more common lately.
The use of this resource facilitates the implementation of solutions and enables third parties to access data that an application can create or receive.
Although APIs have been easy to use, some points related to security must be observed. As the use increases, it is natural that negative interest increases as well.
6 key points to consider on API Security
When thinking on API Security it is important to be worried to the form on how this API will be developed or even maintained.
To help on the API Security manner, some points will be listed and observed while building APIs management.
1. Protecting traffic with an API
If you believe HTTPS is simple, non-authentic HTTPS may not bring much safety as people imagine.
Using HTTPS to access APIs is not new to developers. We can say, that it is more common finding APIs that allow access through more secure channels by using HTTPS protocol.
However, access without authentication does not make it more secure. We can mention, for instance, that NISSAN had API problems, when helping and monitoring to control the LEAF model.
In this case, the process of authentication for APIs access was done by simply sending the car register number, which anyone could have easily accessed, considering that this number is located on the car window.
The biggest problem was the fragility of the authentication process through visible information because this mistake permited access to the car information.
On the APIs, there are also functions that must be carefully offered to not have a negative surprise – as “delete”, for instance. A good solution would be to understand how to enable the CORS function on websites.
To close the HTTPS subject, it is important to consider the implementation of Certificate Pinning mechanisms, mainly on mobile applications, that already have Mutual SSl support.
2. Limit traffic on your API
A second point that must be observed is the limit if traffic quantity that the API can provide to an app, or even to a user.
If not prevented, your API can be loaded with fake or incomplete requests, overloading the server.
Such fragility on the communication process taken to service denial, making the information supply invalid.
To limit such traffic is, therefore, a good practice to the API protection and can bring better results if the developer implements a limit on applications or even by the user.
3. Monitoring is required
However, for traffic limitation to be efficient, APIs monitoring must be continuous.
This permits that developers can identify such abnormal behaviors, ensuring environment security.
4. Dedicating time and resources in the right way
This is not exactly a technical issue, but of management.
To think in a correct way about API security, it is necessary to execute good planning of time and appropriate conditions to validate security more efficiently.
To ensure time and resources to test the API is a key point to implement a data protection barrier, handled by applications that use API.
While thinking on applying part of your resources for testing, know that not only API enablement is at stake. If treated in a wrong way information and a data breach can bring catastrophic results for the company.
5. It is important to validate inputs
Far better practices for secure development have been observed, which is important for a web application when mentioning API security we have to keep an eye for data input validation.
Unlike data to be validated in a web application, input data in APIs is sent via URLs and these must be carefully analyzed and validated before being accepted by the API.
For security reasons, when analyzing parameters passed to the API, is necessary to have a definition that does not accept passing strings and objects without proper validation.
It is also very important to have the same attention when it comes to passing headers, body and attachments sent to the API.
6. Use API Keys always
Another important point to strengthen APIs security is to use keys as a form of authentication.
This can contribute to keeping it safe since API keys are created from a random code hard to reduce.
Thus, the authentication gets more complex when compared to the simple fostering of users and passwords.
Besides implementing more security in the authentication process, the use of API Keys makes validation a faster process than using a criptographed password on the database.
However, by using encrypted authentication it is necessary to consider that the process will add a step to decode and validate a saved hash.
It means that will take longer to log in, which will increase the consume of processing API with intense use by users.
Therefore, it is important to keep in mind that the use of API Keys is not a solution for all problems of security in the authentication process.
So, we can say that if you are using only API Keys, you are you doing it wrong.
API Security: protection in first place
In general, we can say that any care that should be taken in API security is quite similar to what we already know in the practices used in web application development.
This means that you need to think about security from the beginning of development, and on all aspects of the application.
When talking about the Secure Development process, we need to keep in mind that it is more about changing thoughts and culture than about extreme technical knowledge.
This cultural transformation needed to pursue web application security must begin in the development process by producing even more secure coding, but it cannot stop there.
We suggest as a further reading this article where we talk about the role of Security Champions as catalysts of cultural transformation within companies.
So while these tips are valuable, the development security process is a much larger scenario and requires commitment from many areas to be executed with excellence.
