Before you go, check out these stories!

0
Hackernoon logoState of API Security: API Security Best Practices by@rachel

State of API Security: API Security Best Practices

Author profile picture

@rachelRachel

Independent Tech Blogger

The word is out about the state of API security as organizations around the world are finally waking up to the potential of Application Programming Interfaces (APIs) transforming business models and directly generating revenues.

The momentum around API has been building continuously. Back in the days in 2015, Harvard Business Review reported that 90% of Expedia’s revenue was driven by APIs. eBay and Salesforce also claimed 60% and 50% API-driven revenue, respectively.

The influence and spread of APIs have continued to grow in recent years through a community forum support from programmableweb.com, where a  listing of over 12,000 APIs have been registered in the year 2015. 

API is nothing but a user interface for other apps instead of users. They are often managed by API gateways, which are lightweight pieces of software running on an application server that manages those connection points for other app services or mobile apps to push or pull data. 

This will help in defining the relationship of API with other APIs and clients, enabling organizations to use the output of the original service in different ways, apps or environments without starting from scratch. This is pivotal for those looking to leverage existing infrastructures with minimal modifications.

However with the rise of APIs, here comes a potential for security loopholes that have created a ruckus for API developers as they need to understand the risk to keep customer and corporate data safe. 

One of the biggest issues is overly broad permissions, which means attacks through the API can basically give bad actors visibility into everything within the application infrastructure. API calls are also prone to the usual web request pitfalls such as injections, credential brute force, parameter tampering, and session snooping. 

In this blog, I am going to shed light on the importance of API Security for the forthcoming year.

API Security: Best Practices

To stay ahead of the API Security Curve, I urge organizations to follow these API Security Practices:

Recognize the risk of APIs

By using APIs, companies may inadvertently open up the door to all of their corporate data, which makes it a probe to potential vulnerabilities as when API developers work with APIs, they focus on the small set of services with the goal of making features as robust as possible. Developers tend to think outside the box.

Security challenges arise because nowadays front end and back end are linked to a hodgepodge of components. When it comes to security vulnerabilities, hackers think outside the box, examining ways a gateway here or there can be used for nefarious purposes.

APIs are difficult to use

Software Development has faced flak recently as Devops has made allocating resources simpler and faster, but at the same time the number of connections is on the rise and cross-platform app development has made the system design more complex. 

On the other hand, APIs support literally thousands of possible connections. But being under the pressure to deliver new releases asap, API developers sometimes hurriedly make mistakes.

In fact, as per a study conducted by the University of Virginia researchers found out that API programmers even after following the standard security practices, sometimes deliver insecure code.

They conducted group research on three sets of apps, including the Client’s App in the Windows 8 App store using various social media sign-in and has determined that 67% to 86% of apps have security vulnerabilities that could lead to potential security vulnerabilities, leading to the stealing of user’s system credential.

Monitor Add-on Software Carefully

The sophistication of API development creates other problems. One popular use of the interfaces is to allow third-party to write add-on apps for a platform. Mobile platforms and Social Media apps rely on others to add value to their base systems. A potential bugaboo is such an interface that often gives API developers a high level of authorization rights and system administrator facility in most of the cases. 

Hackers yearn for those privileges and will voraciously try to dig out such system vulnerabilities.

Work with Standards Judiciously

Enterprises have been working on standards to improve API security and ease implementations, but the results have been mixed. The Internet Engineering Task Force’s  OAuth is an open authorization standard, designed to provide the client with secure restricted access to provide users with secure restricted access to system resources without sharing their credentials. 

The standard is used commonly used as a way for internet users to log into third-party websites via their Microsoft, Google, Facebook or Twitter accounts.

But problems can arise because the security standard is based on HTTP Protocol, which has flaws, and APIs provide an attractive explosion point. 

So, what types of attacks may occur in this scenario? Unfortunately, the list is too long. There are several vulnerabilities that take place when a prober tries to attack your client’s or users’ network. 

Focus on Authorization and Authentication on Front End

APIs don’t live alone. API Developers tie these elements into other pieces of software. Securing the code properly requires that developers take a multi-faceted approach. It has to start with solid authentication, which is the process of checking to see if a person is who they say they are.

Organizations have been moving away from simple password systems to multi-step or two-factor authentication with a growing emphasis on biometric solutions such as fingerprint recognition. 

Once the person is authenticated, they need to pass an authorization check again in order to access different kinds of information.

For instance, few employees need to access payroll data, but everyone should be able to read the company’s President Blog. Finally, an enterprise needs to ensure that corporate data is safe. Increasingly, businesses encrypt information from inception to deletion. Previously, data was encrypted mainly when transiting data from place to place on the network.  With encryption, if there is a possibility of hackers to dive in, they can’t see anything of value.

Remember to keep check data on the backend

Organizations spend a lot of time and effort in securing the information on the front-end, but the attackers still worm their way out into the system. Businesses need to set up another checkpoint on the way out of the network.  

If hackers access some of the confidential information, it holds value until the hacker can move it into their own system. In other terms, if you miss a crook on the way in, you still can thwart him on the way out.

Take a look at API Security and Tools

New tools that help API developers manage APIs are being developed from a variety of sources ranging from startups to established vendors. You will see more tools and vendors in the space both for runtime management and design/develop/test-time vulnerability detection. These tools include items such as prebuilt security scans that check code and flaws,  like parsing and improper data handling issues.

Budget Time for Security Testing

Security testing takes time and money, companies need to make the investment. While new functionality drives development, about 5-10% of the budget should be allocated to security testing.

Ideally, a corporate security team has developed a sound, repeatable processes, and procedures, so that they are not starting from scratch for the fresh project.

Conclusion

The usage of API is continuously rising and empowering businesses to build more dynamic applications. APIs are not new but they are relatively relevant in the age of the Internet where the applications are growing and evolving.

However, if you take advantage of these capabilities of API Deveu take advantage of these capabilities of API Development, organizations have to make sure that they are aware of the potential security threats in order to close those threats on time.

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!