What is API?
API is the acronym for application programming interface –– a software intermediary that allows two applications to talk to each other. APIs are an accessible way to extract and share data within and across organisations – MuleSoft
Why API needs to be secured ?
API first strategy is common and API is the entry point to retrieve or store data for web application. Because of that API is exposed to internet and often bad actors targets vulnerable API to steal data or disrupt business. And API have similar weakness as web application whether is Injection based attacks or Denial of Service attacks. So it requires similar attention to protect API.
API Protection
OWASP Top 10 API Security is one of the approach to highlight the API risks and also we can look to protect API based on standards security controls. Some of the security control objectives are :
- API Governance
- Access Control
- Network Control
- Cryptographic Control
- Secure Configuration
- Logging and Monitoring
Let’s look each one of the control objectives and explore more.
API Governance
In API governance, some of the best practices are
- API discovery — Keep the inventory of APIs
- Deprecate unused APIs
- CICD to manage the lifecycle of APIs
Access Control
Authentication and Authorization is key control for API. All APIs whether its internal or external needs to be protected with Authentication and Authorization.
Authentication
- API keys — TLS must be enabled
- Certificated based authentication
- JWT — validate tokens expiry and its signed by correct parties
Authorization
Authroization is normally handled by application who can invoke the API by reading the JWT claims. Normally JWT claims can have additional details such as groups to provide authorization.
Network Control
Network control is another key control for API. Protect the API by proper CIDR ranges and make the API private if its not internet facing to reduce the attack surface. Protect the internet facing API endpoints with DDOS protection . Apply API rate limiting and throttling to prevent the abuse of API’s.
Cryptographic Control
Enforce encryption in transit and at-least TLS 1.2+ enforced for transport layer security. API definitions or any additional parameters should be encrypted at rest.
API Secure Configuration
Secure configuration is a combination of all controls. In additional to that, Request Validation and Response transformation provides extra protection. Request Validation is validating the request with pre-defined schema to allow / drop the request at front-door if the schema is not conformed to baseline. Response transformation is denying over sharing of data from backend.
Logging and Monitoring
Auditing the API activities and centralise the logs is helpful during incident and response times.
Others
WAF to protect against Layer 7 attacks.
Conclusion
This is not exhaustive list to protect the API but it would be good starting point to protect the API. Reference materials for further readings.
1 | https://api.gov.au/sections/api-security.html |
2 | https://docs.aws.amazon.com/whitepapers/latest/security-overview-amazon-api-gateway/security-design-principles.html |
3 | https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm |