API security refers to the process and/or measures of preventing or mitigating attacks on application programming interfaces (APIs). As discussed in the previous article, Application Programming Interface, or API, is a software bridge that enables communication between two applications therefore it is very important that measures are in place to ensure that the communication remains secure at all times as crucial and sensitive data is transferred between users, APIs, and the applications and systems they interact with.
Below are 8 tips on how to avoid security risks and secure your APIs:
- Encryption: Encryption secures digital data by encoding it mathematically through cryptography so that it can only be read, or decrypted, by those with the correct key or password.
It is therefore recommended that communications between the applications should be encrypted and not in plain text, this is to avert unauthorized users having access to sensitive data which are being transmitted between the applications. It is always advisable to use the latest TLS versions (TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the network) to block the usage of the weakest cipher suites. We recommend setting up encryption in transit on every client accessing the file system.
- Authentication: This is the process of determining whether someone or something is, in fact, who or what it says it is. Authentication technology provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server. In another word, authentication ensures that only authenticated users or processes gain access to calling your API
Several methods can be deployed to authenticate users calling your API, these include:
- HTTP Basic authentication where a user needs to provide user ID and password
- API key where a user needs a unique identifier configured for each API and known to API Gateway
- A token that is generated by an Identity Provider (IdP) server.
It is recommended that a minimum of two-factor authentication such as a combination of any of the two methods mentioned above should be deployed.
- Logging and Monitoring: Events logging and monitoring is a process performed by examining electronic audit logs for indications that unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits, or stores confidential information. Effective logging and monitoring help to protect confidential information and through careful trend analysis, identify meaningful improvements to security management programs.
- Data validation: It is very important that appropriate checks are put in place to ensure that the data transmitted and received are validated. It is recommended that JSON or XML schema validation is used, also, check that your parameters are what they should be (string, integer…) to prevent any SQL injection or XML bomb.
- API firewalling: It is recommended that API security should be segmented into two layers; The first layer is in DMZ, with an API firewall to execute basic security mechanisms like checking the message size, SQL injections, and any security based on the HTTP layer, blocking intruders early. Then forward the message to the second layer which should be in LAN with advanced security mechanisms on data content. The more challenging you make it for cyber attackers to get at your information, the better.
- Up-to-date version of Infrastructure and Network: It is of utmost importance that the infrastructure and security network that your API lean on is given careful consideration, e.g., the network must be of high-security standard, up-to-date version, and patched infrastructure.
- API Gateway: An API Gateway will assist to secure, control, and monitor your traffic.
Investing in an API Management solution will not only help you with the security but will also assist with traffic analysis which can be used to make technical and business decisions
- OWASP Top 10: The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
This OWASP Top 10 document should be considered when establishing API to ensure that the risks are minimized. Using the OWASP Top 10 is perhaps the most effective first step toward producing a more secure API.
In conclusion, API security should not be taken for granted and should be an ongoing practice. In other words, security should be built into APIs and continually reviewed for operating effectiveness all through the API lifecycle