8 essential best practices for API security
Application programming interfaces (APIs) have become all the rage nowadays, with enterprise developers now relying heavily on them to support the delivery of new products and services. That's no surprise, since they allow programmers to integrate functionality from externally provided services instead of having to build those functions themselves.
While interconnections offered by APIs have been around since the first programs were written, the landscape is changing with containers and mobile application development. ProgrammableWeb has a directory listing about 15,000 APIs used for mobile and web applications. “Legacy applications are being retooled, enterprises are breaking software down into smaller pieces, and increasingly applications are being connected to new mobile front ends via APIs,” says Steve Willmott, CEO of API management platform 3scale.
However, with the rise of APIs also comes the potential for more security holes, meaning coders need to understand the risk to keep corporate and customer data safe. The challenges start with programmers’ priority lists. “Developers focus more on items like functionality and agility than security,” notes Kyle Lai, vice president and principal security architect at Pactera. Consequently, businesses need guidelines to ensure their API deployments do not create security problems.
Here are eight essential best practices for API security.
1. Recognize the risks of APIs
When developers work with APIs, they focus on one small set of services with the goal of making that feature set as robust as possible. They tend to think inside the box. Challenges arise because nowadays front ends and back ends are linked to a hodgepodge of components. Hackers think outside the box, examining ways a gateway here or there can be used for nefarious purposes.
“By using APIs, companies may inadvertently open up the door to all of their corporate data,” -Chris Haddad, chief architect at Karux LLC.
2. APIs are difficult to use
Software development has faced a double-edged sword recently. DevOps has made allocating resources simpler and faster, but at the same time, the number of connections has risen and system design has become more complex. APIs support literally thousands of possible connections. Being under pressure to deliver new releases ASAP, well intentioned, responsible programmers sometimes hurry and make mistakes.
In fact, University of Virginia researchers found that even when developers follow accepted programming procedures, they deliver insecure code. The group tested three sets of apps, including client apps in the Windows 8 App Store using various social media sign-ons, and determined that 67 percent to 86 percent of the apps had security vulnerabilities that could lead to users having their system credentials stolen.
3. Monitor add-on software carefully
The sophistication of APIs creates other problems. One popular use of the interfaces is to allow third parties to write add-on apps for a platform. Mobile solutions and social media programs, like Facebook, rely on others to add value to their base system. A potential bugaboo is such interfaces often give developers a high level of authorization rights (system administrator functionality in some cases). Hackers covet those privileges and will voraciously try to dig out such system vulnerabilities.
4. Work with standards judiciously
Vendors have been working on standards to improve API security and ease implementations, but the results have been mixed. The Internet Engineering Task Force's OAuth is an open authorization standard, designed to provide clients with secure restricted access to system resources without sharing their credentials. The standard is commonly used as a way for Internet users to log into third-party websites via their Microsoft, Google, Facebook, or Twitter accounts.
But problems can arise because the standard is based on HTTP, which has flaws, and APIs provide an attractive exploitation point.
“API metadata provides the entire attack surface for an API, making it easier for hackers to know or find possible vulnerabilities,” -Ole Lensmar, chief technology officer at SmartBear Software
So, what type of attacks may occur? Unfortunately, the list is long. The Open Web Application Security Project (OWASP), an ad hoc consortium focused on improving software security, keeps tabs on the most common API vulnerabilities, including SQL/script injections and authentication vulnerabilities.
5. Focus on authorization and authentication on the front end
APIs do not live alone. Developers tie these elements into other pieces of software. Securing the code properly requires that developers take a multi-pronged approach. This starts with solid authentication, which is the process of checking to see if a person is who they say they are. Enterprises have been moving away from simple password systems to multistep authentication with a growing emphasis on biometric solutions like fingerprints. Once the person is authenticated, they need to pass an authorization check and gain access to different types of information.
For instance, few employees need access to payroll data, but everyone should be able to read the company president’s blog. Finally, an enterprise needs to make sure that corporate data is kept safe. Increasingly, businesses encrypt information from inception to deletion. Previously, data was encrypted mainly when moving from place to place on the network. With encryption, if the bad guys somehow get in, ideally they cannot see anything of value.
6. Remember to check data on the back end
Enterprises spend a lot of time and effort securing information on the front end, but the attackers still worm their way into the system. Businesses need to set up another checkpoint on the way out of the network. If the criminal accesses confidential information, it has value only if they can move it to their own systems. In other words, if you miss a crook on the way in, you still can thwart him on the way out.
7. Take a look at API security tools and gateways
New tools that help developers manage APIs are being developed from a variety of sources, ranging from start-ups to established vendors. “We will see more tools and vendors in the space, both for runtime security management and design/develop/test-time vulnerability detection,” notes SmartBear’s Lensmar. These tools include items such as prebuilt security scans that check code and flaws, like parsing and improper data handling issues.
8. Budget time for security testing
Security testing takes time and money, and companies need to make the investment. While new functionality drives development, about 5 percent to 10 percent of the budget should be allocated to security testing.
“Ideally, the corporate security team has developed sound, repeatable processes and procedures, so they are not starting the process from scratch with each new project,” -Pete Lindstrom, vice president of security strategies at IDC.
API usage is rising and empowering businesses to build more dynamic applications. However, as they take advantage of these capabilities, organizations need to be aware of the potential security holes and close them.