Guidelines for Reducing API Security Threats

By CIOReview | Thursday, April 6, 2017

There are strategies to prevent an Application Programming Interface (API) security breach as much as there are methods to hack into an API system. With various technological advancements hackers have identified different lines of attacks to breach API security, which compels developers to adopt sophisticated strategies for offering optimum security. Rate limiting and security token management are two such methodologies delivered and are widely used among developers for tightening API security. According to IBM, API breaches have plagued startups for some time now, affecting the likes of Facebook, Twitter, and Snapchat, and its clear these breaches are now affecting established enterprises.

Hackers, internal threats, and bad bots plague API security every day. As these threats increase, organizations need to reassess their risk profiles and data security architecture.

In the wake of rising incidents of API security breaches, an efficient digital security strategy should be able to seamlessly adapt quickly to the latest threats. In addition, it should be able to expose APIs as API products as well as log API interactions across channels.

API Design Pitfalls

1. Transport Layer Encryption

Encrypting the transport layer or the lack of Transport Layer Security (TLS) or the Secure Socket Layer (SSL) is one of the most important as well as initial level of security. Failure in maintaining proper transport layer security will result in eavesdropping or man-in-the-middle attacks. Maintaining a TLS certificate is crucial for the security.

2. SSL Certificate

An SSL certificate allows websites to perform encrypted communication. The SSL certificates are to be validated for safe communication, which is a complicated process that can create security loop holes if not executed or implemented properly. In cases of vulnerability, it allows attackers to push in fake certificates and traffic interception, compromising user security.

3. XML Encryption

Simple Object Access Protocol (SOAP) allows exchanging structured information in API and web services, delivering extensibility, neutrality, and independence. eXtensible Markup Language (XML) is the underlying information set for its message format. If left uncontrolled without proper monitoring, it makes way for several attack vectors including external entity attacks (XXE), XML encryption issues, and DoS (Denial of Service) attacks.

4. API Auditing

API calls are programmed to provide access to a subset of end points specifically, creating structure and boundaries. But, attackers try alternative routes as well as API calls to obtain data outside the fixed or pre-programmed boundaries by exploiting the security issues or Business Logic Flaws in the API design.

In order to prevent such vulnerabilities, manual auditing is the best strategy. A good general practice is to expose the minimum amount of data possible while auditing.  

5. End point Security

Hardening the end point security is an important part of best practices in API security. Endpoint hardening measures such as key signing and hashes are easier to be incorporated during the early API development stages.

The OAuth Framework and API

Open Authorization or better known as OAuth is an open standard used for token-based authorization and authentication on the Internet. OAuth allows sharing end users account information to third-party services without compromising account security and exposing passwords. The features in OAuth 2.0 include simplified signatures, new flows, and tokens that short-live but have long-lived authorizations. The latest OAuth 2.0 is designed for delivering ease of use and simplicity to the developers while offering some specific authorization flows for web and desktop applications, mobile apps and IoT (Internet of Things). OAuth is not an authentication protocol, but a delegated authorization protocol.