API Security — a Detailed Guide

APIs (Application Programming Interfaces) have become a critical enabler for catapulting the digital transformation of enterprises across the world—from startups to technology giants. However, API security is often disregarded, which reduces the appeal of this useful integration technology.

What is API Security in a Nutshell?

API security deals with the protection of network exposed APIs. It is a set of best practices and tools applied to web APIs. API security deals with issues including acess control, rate limiting, content validation, and monitoring & analytics.

Without a proper API security definition, an enterprise risks making it an attractive target to hackers, given the API’s ability to provide programmatic access to external developers. Enforcing web API security will ensure that the exposed digital data, which is the heart of the business itself, is safeguarded from unauthorized exfiltration.

What is API Security?

API Security involves authenticating & authorizing people or programs accessing a REST or a SOAP API. OAuth 2.0 is a popular open standard for access control without sharing passwords. Some design principles for API security are fail-safe defaults, least privilege, economy of mechanism, and complete mediation.

APIs are like doors and windows that provide access to valuable digital assets. Insecure or poorly designed APIs can be equated to malfunctioning doors and windows, which make access to the valuable items in the house easy. Therefore, APIs should be developed with security in mind.

Best Practices to Secure REST APIs in a Nutshell

1. Principle of Least Privilege
2. Fallback to Fail Safe Defaults
3. Simple Design
4. Clear Authorization Hierarchy
5. Always use HTTPS
6. Passwords Saved Hashed & Salted
7. Don’t Expose Information on URLs
8. Add Timestamp in Request

In this article, we’re going to delve deeply into the issue of the security of APIs and how you can protect them from digital vandalism.

Let’s start by talking about API security overview.

What is API security?

API security can be explained as an overarching term that involves the implementation of processes and strategies intended to mitigate the vulnerabilities and security risks of APIs.

Generally, most API developers recognize the importance of adhering to API security principles because they do not want to ship a bad API. However, some of them lack sufficient skills in proper API development, are tempted to look for shortcuts to meet aggressive deadlines, or just fail to apply the API security rules. Consequently, such pitfalls may lead to serious risks: vulnerable APIs.

Can APIs be Hacked?

API hacking is a real threat to internal and external APIs. Exposing a resource to the Internet makes it a potential target for attack by hackers. Attacks like injection, DoS, user spoofing, man-in-the-middle, session replays, and social engineering can hack an API with poor security.

For example, if an attacker gets control of a payment API, they could redirect the payments to their personal account or falsely mark payments as completed, while nothing has actually taken place. Also, substituting a malicious user authentication API for a legitimate one could compromise the identification mechanism of users accessing sites.

What is web API security?

Web API security involves the security web-based APIs. Since these APIs rely on web technologies, API developers often encounter the security vulnerabilities common in the open Internet. While most of the traditional threats prevalent in web applications are also applicable to web APIs, unfortunately, APIs are very highly susceptible to attacks.

Web APIs expose the underlying implementation of a computing system, which further expands the attack surface area. Unlike web applications, web APIs provide consumers with much more flexibility and granularity in terms of the data they can access.

Furthermore, with APIs, the extent of interactions shifts from the web-tier or the relatively more secured DMZ (demilitarized zone) to backend data repositories that lay behind the firewall. Essentially, based on the design of your web API, it could act as the weakest link in the security chain, providing an easy entry point for hackers to penetrate your system. Therefore, because of their uniqueness, instituting proper API security measures is crucial.

Most web service APIs are constructed using either SOAP (Simple Object Access Protocol) or REST (Representational State Transfer). While SOAP is extensively used in enterprise API environments where security is emphasized, it’s ceding ground to the modern and simple REST architectural pattern for the development of web services.

Although both REST and SOAP make data available over HTTP requests and responses, their operations rely on largely different semantics and formats. As such, you should approach their security considerations differently.

Let’s briefly talk about the distinct API security methods for both SOAP and REST APIs.

SOAP API security

SOAP is a standard communication protocol that supports the exchange of data in the XML (extensible markup language) format. SOAP Application Programming Interfaces utilize built-in protocols called Web Services Security (WS Security) for handling security considerations in transactional communications.

SOAP APIs support the security guidelines stipulated by two globally-recognized standards organizations: the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards (OASIS). Mostly, these APIs use a combination of SAML tokens, XML-Signature, and XML-Encryption to enhance the security of the data being sent and received.

SOAP’s built-in standards and type of transport mechanism lead to more overhead as compared to using other API implementations, such as REST. However, organizations that handle sensitive data may benefit from SOAP implementation.

REST API security

REST refers to a set of software architectural principles that outline how data is exchanged between computing systems over the Internet. Unlike SOAP, REST is not a protocol, per se.

In addition to using HTTP, REST APIs also offer support for Transport Layer Security (TLS) encryption. TLS is a protocol that keeps the communication over an Internet connection private and ensures that the data exchanged between two systems remain unaltered and encrypted. If a website is protected with TLS (its URL starts with “HTTPS”—Hypertext Transfer Protocol Secure), an attacker trying to access your sensitive details from the website can neither read nor alter them.

Unlike SOAP that supports a single data format, REST supports multiple data formats, including JSON, XML, and HTML. Using a simpler file format like JSON allows for easier transfer of data over the Internet. With HTTP and JSON, REST APIs do not require repackaging or storing of data, which makes them much quicker than SOAP APIs.

It’s important to note that REST does not apply any specific security standards as SOAP. REST concentrates on the deliverability and consumption of data, not providing built-in measures for ensuring the security of data on transit.

Therefore, when creating an API using REST, you should endeavor to build sufficient amounts of security in the code and deployment process, without assuming that they come out-of-the-box.

Whereas it may seem that using SOAP may lead to more secure APIs, it really boils down to how well the API is designed. A well-constructed REST API can be more secure than a poorly-constructed SOAP API.

Here is a table that highlights the differences between REST API security and SOAP API security you can consider before choosing between the two:

REST API	SOAP API
It is an architectural style without any official security standard	It is a protocol with official security standards
Uses multiple standards, such as HTTP, JSON, and XML	Largely based on HTTP and XML
Uses simpler data formats like JSON that take fewer resources and bandwidth	Use of XML for creation of payloads leads to big sized files and increased overheads
Caching data transfers is possible, so no need of processing an already completed query again	Each query has to be processed every time

The need for API security

With the current rise of APIs, it seems cyber attackers are shifting their focus from their traditional targets and focusing their energies on APIs. The widespread adoption of APIs throughout the world has provided a new target that hasn’t been thoroughly exploited yet.

APIs are swiftly becoming ripe targets for malicious exploitations. In fact, a recent report by Edgescan, a European security firm, discovered that while 81% of all vulnerabilities in 2018 were network vulnerabilities, 19% of all the vulnerabilities were associated with web applications, APIs, etc.

Shockingly, a study by Gartner, a renowned global research and advisory firm, indicated that by 2022, API malpractices would result in the highest number of data breaches witnessed in most enterprise web applications.

Another report by Imperva, a cyber security software and services company, points out that API security breaches are becoming extensive year-over-year. According to the report, the number of new API vulnerabilities increased by about 154% from 2015 to 2018.

Here is a screenshot showing the number of API vulnerabilities between 2015 and 2018:

Furthermore, in recent years, there has been widespread news reports of API data security incidences affecting major Internet companies.

Here is a description of some of them:

• In March 2018, Google discovered and patched a bug in its Google+ People API that might have exposed the data belonging to more than 500,000 users. The API bug might have leaked users’ data since 2015. Consequently, the search giant resolved to shut down the social network application in August 2018.
• In early 2018, the Facebook-Cambridge Analytica data scandal in which Cambridge Analytica exploited Facebook APIs and illicitly harvested millions of users’ data. Consequently, the social media giant introduced stricter API policies.
• In 2018, the U.S. Postal Service had a serious API weakness that exposed the sensitive account details of about 60 million users. The vulnerability allowed any user who has logged in to USPS.com to use its API to view account details for other users, such as email addresses, phone numbers, and usernames. In some cases, it was possible to modify the users’ account details. Surprisingly, this vulnerability went unpatched for more than a year.

Therefore, in the wake of the growing API security concerns, enterprise security teams everywhere should treat APIs with the same level of seriousness offered to other business-critical applications.

API endpoint security measures should be regarded as an essential aspect of the development process, and not as an afterthought.

As illustrated by the examples above, API flaws can result in catastrophic results, including data breaches, service disruptions, account takeovers, and loss of reputation.

More so, with the introduction of strict data protection and privacy laws, such as the GDPR, it’s now evident that security breaches and non-compliance could make an enterprise incur heavy penalty fees.

Currently, organizations are required to enforce the requirements for the Protection of Personal Identifiable Information (PII) and the security of users’ sensitive data. Otherwise, serious regulatory penalties could ensue. For example, Facebook was hammered with a record $5 billion penalty over its careless handling of users’ data following the infamous Cambridge Analytica scandal.

If technology giants, like Google and Facebook, can overlook serious vulnerabilities in their APIs, then any enterprise can make the same mistake.

Importantly, if a company, regardless of the size, does not plan on implementing a comprehensive API security strategy, then there is a problem with its list of priorities. The need for API security cannot be emphasized enough. Period.

API security vulnerabilities

There are several ways hackers can exploit APIs and gain access to sensitive data or critical computing infrastructure. Most of them are slightly new versions of the common cyber security attacks.

Here are some of the main API security vulnerabilities:

• Login attacks
• Parameter attacks
• DoS and DDoS attacks
• Application and data attacks

Let’s talk about each of them.

1. Login attacks

Login-based attacks involve finding a way to penetrate the digital resources linked to APIs by testing out stolen or leaked login details, such as API keys.

Bad actors can also use brute force attack techniques that try out various random combinations of words and alphanumeric characters for logging in to API authentication systems.

If attackers probe the login environment and manage to gain access—just like a normal user—they can discover and exploit additional vulnerabilities, potentially bringing the API service to its knees.

Additionally, login attacks can be used to obstruct legitimate users from logging in, harm the user experience by reducing the usefulness of public APIs, and cause loss of sensitive data.

2. Parameter attacks

Parameter attacks are one of the most vexing types of API security issues. Generally, they exploit the data submitted into the API, such as query parameters, HTTP headers, post content, and URL.

These attacks aim to manipulate an API service by sending inputs that carry out malicious activities different from the intended behavior of the application and the system that supports it (such as a database).

A common type of a parameter attack is the SQL injection attack, which involves inserting nefarious SQL statements into an API’s entry field for execution. Consequently, it can lead to various results, such as instructing the database to dumb confidential data to the intruder.

Parameter attacks can be accomplished if the API inputs are not sanitized well. Neglecting to validate user inputs can enable an attacker to inject malicious code that supersedes the already existing parameters and cause devastating impacts.

Unlike most web applications, APIs usually identify the parameters underlying their usage. Unfortunately, this offers enticing clues for a perpetrator to stage an attack.

3. DoS and DDoS attacks

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks involve flooding an API service with tons of useless requests to halt its operations. Sadly, when an API has been overwhelmed with traffic, it becomes unavailable to legitimate users.

Hackers usually employ several tactics to realize service disruption. For example, when rate limiting controls are available, they can carry out these attacks by using botnets that stay below the stipulated traffic limits. Because every client makes the normal number of requests, these attacks can go undetected for an extended period.

Here is a diagram from Cloudflare that illustrates how DDoS attacks can be executed:

4. Application and data attacks

Application and data attacks are other common types of API security risks. These attacks involve seducing users into connecting to a compromised system, which enables the details of their API keys, tokens, or other sensitive data to be stolen.

Once a hacker has captured the credentials, evading even the most advanced authentication techniques to execute an attack becomes easy.

It’s important to note that the credentials can also be stolen by a rogue insider, dissatisfied employee, or any other crooked individual within your company.  Therefore, performing a thorough API security risk assessment within your workplace is essential.

According to a recent Verizon Data Breach Investigations Report, 81% of hacking-related data breaches take advantage of stolen credentials.

Here are the most common types of application and data attacks:

• Phishing attack—it involves tricking a user into disclosing private API information through fraudulent means. For example, an unsuspecting user can receive an email purporting to be from the legitimate API provider. However, when the user clicks a link in the email, they get redirected to a dummy API web page, which resembles the official web page, where they divulge the API login details.
• Malware attack—attackers can create malicious software that harvests users’ sensitive data and transmit to them.
• Man-in-the-middle attack—it takes place when a hacker places themself in a communication session between an unsecured API and a user (or an application), and secretly intercepts the user’s confidential data.

API security best practices

It’s possible to implement robust API security guidelines and mitigate the risks to the optimal performance of APIs. While the controls and tools may vary in each case, instituting comprehensive API security architectures can safeguard against most attacks that can exploit weaknesses in APIs.

While API security mechanisms share much with principles in web application security and network security, one-size-fits-all solutions cannot be applied to all of them. As earlier mentioned, APIs are fundamentally different.

By design, Application Programming Interfaces are more transparent, because they offer programmatic access to services and data. This transparency, which is reinforced within API documentation, is what adds to their attractiveness to hacking attacks.

Therefore, because APIs face unique risk factors, you should apply incremental API security standards beyond those used to secure other web resources. Enterprises that depend solely on the traditional methods for network security to safeguard their APIs shouldn’t be shocked if they are compromised.

Here are some API security best practices you can follow:

• Apply strong authentication and authorization
• Enhance visibility into APIs
• Validate parameters
• Use quotas and rate limiting
• Include security in the complete API development life cycle
• Practice user education

Let’s talk about each of them.

1. Apply strong authentication and authorization

Deploying robust authentication and authorization measures should be an essential aspect of any API security policy. Authentication is the initial step that verifies the identity of the user or application trying to access the API service.

Authorization is the next step that determines the resources the authenticated user or application can interact with. In other words, authentication verifies who you are while authorization determines what you can do.

A good way to control access to your APIs is to use secret keys. With API key authentication, you can verify the identity of each app or user and mitigate the risks of unauthorized access. This information can be used to maintain a log and to determine the extent of resources accessed.

So, after a client has been authenticated, they should be allowed to access the API functions based on their predefined role. For instance, a user granted read-only access rights should not be permitted to make requests to an endpoint meant for admin functionality.

To minimize the API key security risks, users should also be allowed to revoke the current authorization of an API key. This would assist in dealing with situations when the key is inadvertently exposed to malicious actors.

For example, the Rakuten RapidAPI API marketplace, which hosts thousands of APIs, generates secure keys for accessing APIs.

Here is an example of a key for the Dark Sky API:

For added security, you can use some kind of access token, which can be generated via an external process (such as when registering for an API service) or via a separate authentication technique (such as OAuth). In this reinforced API security model, the token will be passed with every request, and it will be validated before processing the request.

2. Enhance visibility into APIs

Authentication and authorization allow you to determine who has access to your API. What about monitoring, auditing, and analyzing your API traffic?

You need to have an API security management solution that lets you see the activities and usage of your API. With enhanced visibility into the API, you can scrutinize the API activities against normal use, assess excessive error activities, and detect attacks based on abnormal behaviors.

Insufficient visibility into APIs is a common problem in most enterprises. In fact, according to a 2018 survey on 100 security and IT professionals in the U.S., 45% of the respondents are not confident in their organizations’ ability to discover hackers accessing their APIs. Worse more, 51% cannot confidently affirm that their security team knows all about the APIs available in their organizations.

The above survey results demonstrate one of the biggest hindrances to implementing effective API security design principles—the people in charge of protecting APIs do not know what is happening with them. And, as the saying goes, “You cannot protect what you cannot see.”

Therefore, one of the recommended REST API security best practices is always to keep an eye on the API analytics tool and monitor various aspects of its usage, such as the number of times a specific user or application uses it and the most popular activities. With API security scanning tools, you can detect threats early enough and solve them before the extent of damage is magnified.

Additionally, gaining visibility into APIs can help in adhering to industry laws or compliance policies. For example, as part of an API security audit process, you may be required to submit verifiable logs of requests and responses to assist in the identification of illicit users.

3. Validate parameters

Ensuring all parameters are sufficiently validated is an essential aspect of any rigorous API security framework. Properly sanitizing all incoming data assists in confirming that the requests are validly received from a user or an application. Invalid or poorly formatted requests can be used to cause harm to your REST API.

Furthermore, to prevent parameter manipulation and injection attacks, you should use API security monitoring tools to create automatic security tests. With API endpoint security testing, you can detect if any user input can tamper with the performance of your API and carry out remedial actions as fast as possible.

The API security testing tools can also assist you in identifying bad bots and other suspicious behaviors. With the tools, enforcing API security vulnerability assessment methodology in your environment can be easy.

4. Use quotas and rate limiting

To enhance your API security levels, you should enforce quotas and rate limiting. Quotas will assist in determining how often your API endpoints can be called. If limits are not placed, hackers can make excessive calls and bring your API service to its knees—which also locks out legitimate users.

If a typical user makes one or two requests per minute, then receiving numerous thousands of requests per second should raise the red flag. Such an abnormal behavioral change in API security patterns is a pointer to misuse.

For example, to solidify the API security layer, you can place a limit that prohibits a user from calling an API more than 100 times per second or making a certain number of requests each day.

Furthermore, it’s also a best practice to include throttling rules to shield your APIs from sudden traffic spikes. This way, overflows of traffic can be redirected to backup services to avoid downtimes and performance lags.

5. Include security in the complete API development life cycle

API security should not be viewed as an afterthought. Rather, it should be integrated into the entire API development life cycle. Without an all-inclusive, policy-focused approach, maintaining the security of your APIs can be difficult.

Employing a set of scattered toolsets and ad hoc API security features is likely to lead to gaps and make your services susceptible to threats. APIs should be governed with systematic security policies that cut across the entire API life cycle. During planning, your team should think through security issues that are likely to be encountered once the API is built and deployed.

In development, the possible API security challenges highlighted during the planning phase should be addressed. For example, if the integrity of data exchanges is desired, then TLS encryption capabilities should be built right into the API code to safeguard it from some types of attacks, such as the notorious man-in-the-middle attacks.

More so, before deployment, the built-in API security systems should be sufficiently tested to ensure that everything works properly. An API security assessment checklist can be used to verify that every vital security requirement is addressed before it’s released for consumption.

Lastly, during runtime, the API should be continuously monitored for security threats and other issues that may impede optimal performance. If API security policies are instituted throughout the entire API’s life cycle, several threats can be mitigated.

6. Practice user education

User education in API security essentials is crucial to preventing unauthorized infiltration. Sufficient education can inculcate a security-aware culture among your API users and prevent bad actors from taking advantage of their gullibility and naivety to give out confidential information easily.

For example, if you educate users on the common API security hacks, you can place them numerous steps ahead of the game. If users are trained on the API security basics, they can be cautious before making any move. This way, they can learn how to do background checks to verify the authenticity of messages, such as emails purporting to be from a legitimate API provider.

Conclusion

APIs are a great technology that empowers enterprises to create future-centric and dynamic applications. However, they can be a double-edged sword: promising to supercharge the capabilities of applications while at the same time posing serious security threats.

Nonetheless, with the correct methodologies and policies, these risks can be mitigated, ensuring enterprises reap the rewards of this powerful technological breakthrough confidently and peacefully.

About Rakuten RapidAPI Enterprise Hub

Rakuten RapidAPI provides a centralized operation monitoring platform that allows you to derive useful insights about the security of your APIs. With the Rakuten RapidAPI Enterprise Hub, you can reinforce the security of your APIs using multi-factor user authentication by SMS or email, SSO (single sign-on) access control, and more.

Furthermore, the Enterprise Hub allows you to deploy granular role-based access control, carry out log access monitoring to analyze and detect anomalies, and control visibility based on tag settings such as a team’s exclusive APIs should only be visible to specific team members.

It’s the API management platform you need to gain a holistic, forensic view into the performance and security of your APIs.