CIOREVIEW >> Application Programming Interface >>

Tweaking APIs as Secured Platforms

By CIOReview | Friday, March 17, 2017

Previously, the monolithic software applications featured limited number of interfaces which were easy to secure. Fast forward to the current age and developers, as part of micro servicing, are breaking applications into segregated services that are published as Web APIs. A wide range of devices ranging from PCs, smart televisions, laptops, tablets and IoT devices access these APIs for various customer related operation. Businesses often measure success of a mobile applications or other API engaged framework by counting on user engagement and user adoption. It clearly indicates that APIs have become more of a money-making parameter that adds to the chances of exposures. This may lead to decreased attention to security parameters that limit attack surfaces—making them one of the most attractive attack targets in the current age. Further, the flexibility of APIs allow third parties to write applications for platforms which obviously comes with certain rights which may be utilized by some developers to write down their own authentication layers. Being programmable, they can also program attacks that automate their intentions to satisfy their gainful interests.   

Therefore, APIs, though being an essential technology today, do present considerable design and security problems, where hackers exploit to steal critical data. For instance, over 100,000 of taxpayer’s sensitive tax information were stolen in the year 2015 using IRS’s ‘Get transcript’ API, leading to an immediate shutdown.  To quote another instance, a printing company accidently exposed their user data through API, which raised issues regarding privacy. This lead to the shutting down of their mobile applications after identifying the existence API vulnerability, which otherwise would have been used by hackers to access customer information. These incidents highlight the need for robust security mechanisms in APIs which in the present day situation, companies are opening up their eyes to.

As explained by the experts, there are precautionary steps that can be engaged to prevent API vulnerabilities. For example, like Facebook, where the company allows third party developers to write apps that actually connect to the Facebook data stream, enterprises planning to offer such platforms can restrict access to only certified developers to write additional apps. This could keep an efficient track of people altering the applications which, to a great extend would keep vulnerabilities under check. Additionally, enterprises can subject these developers to run a test in prior to validate their processes and software intends to bestow permissions. There should be control over this approach where the enterprises’ IT department can revoke permissions under suspicious situations.

Additionally, engaging OAuth button app, though a complicated process, is probably one of the most common security protocols that enterprises can use to secure their API—both for web and mobile applications. Another security measure would be to rely upon open source libraries rather than deploying company’s own servers and software frameworks which have greater chances of exposing vulnerabilities.    

Furthermore, the proliferation of cloud adds to the pile. Thereby organizations should ensure that general coding best practices are followed in addition to including various other security measures like framing robust message structures, integrity validation, and encrypting/encoding every data or information that is being exchanged. The best practices in this regard also include availing documentation and audit reports from cloud providers. In addition, they can also ask permissions for penetration tests and vulnerability assessments to be performed against APIs.

Bottom Line

The fact remains solid strong that developers cannot let APIs let go, instead, they need to come up with more in the modern world. But hopefully there is quite impressive improvement in this space, with more companies coming up with leading edge technology solutions to overcome it. It’s important for developers to primarily consider the discussed points in order to avoid any attacks and security breaches on the APIs.