Application program interfaces (APIs) form bridges between applications, allowing programs to communicate with each other across different codebases and hardware. But in the wrong hands APIs can inflict potentially massive damage.
Enterprise applications form ever-larger attack surfaces, but APIs are often where the real vulnerabilities lie. While many attacks can be detected and thwarted by firewalls and standard SIEM tools, attacks via APIs move more stealthily, as they often exploit access privileges that the API already allows. These vulnerabilities extend far beyond the corporate realm and potentially even affect your personal vehicle. Insecure APIs are so ubiquitous that they are even used to hack Teslas.
Here’s how to adopt a more rigorous security posture with APIs by implementing the following strategies.
1. Build for future users, not current ones
When APIs are in their infancy, they are often designed to meet the needs of a small team of developers working together. These developers know each other, maybe even share office space, and may not feel the need to implement authentication protocols to establish that everyone is who they say they are. Why should they? Before long, a particularly useful API moves out of the team and into a wider network of users than originally anticipated. Proper security measures should be in place before the genie comes out of the bottle, rather than long after.
2. Limit users
Speaking of future users, plan for a lot but control less, if possible. Allow access on a strictly necessary basis. More users means a larger attack surface, especially if privileges are not clearly and completely defined.
3. Limit data
the Eqthe ifax data breach represents the sum of all fears as the company harbored private financel information for nearly 150 million Americans. Fortunately, not every company’s business model requires collecting social security numbers, driver’s licenses, addresses, etc. Tightly tailor data collection so that only the most necessary data is required. Uncollected data is protected.
4. Encrypt data
Make sure that the communication paths use the appropriate encryption protocols such as SSL or TLS. Similarly, data at rest should be encrypted. This may seem like obvious advice, but too often a data breach happens because accounts and passwords were stored in plain text. It’s not enough to have encryption, you also have to use it correctly. Some protocols such as TLS allow encryption checking to be disabled on the server side or on the client side, resulting in potential exposure to interception of internet traffic. Ensure APIs comply with the latest security best practices to ensure communications are safe and secure.
Learn more about API security: 7 Trends in Network Management APIs
5. Adopt paging limits
Without proper API pagination, server requests can return one result or a hundred billion. The latter scenario would quickly eat up system resources and shut down applications. Worse still, there is no need for a malicious actor to cause harm – an innocent user may formulate a request too vaguely and receive a stunning response. Fortunately, paging is easy to implement. whose simplest form is ohFfset paging, which provides users with a predefined window of recordings they can retrieve. Other forms of paging include keyset and seek, which have their own advantages and disadvantages.
6. Use prepared statements in SQL queries
SQL injections are extremely common attacks, giving attackers the ability to impersonate other users, damage databases, or steal data. As the name suggests, the attacker inserts SQL code into a database query, often abusing escape characters that a properly configured server should have filtered out. Prepared statements prevent an attacker from injecting SQL code by blocking them with placeholders that can only store specific values, not SQL fragments. Another method to prevent SQL injections is to ensure that the data inputs match what is expected. For example, phone numbers should be stored as integers and not contain strings. Names must contain letters but not numbers.
7. Strengthen end-user and application authentication
For users accessing applications, implement routine password reset policies in accordance with the latest security best practices. For the apps themselves that interact with the APIs, use unique credentials for each version of the app, making it easier to pull outdated versions.
8. Impose throughput limits
Brute force attacks occur when an attacker sends large volumes of login credentials to a server in an effort to achieve a successful match by pure chance. A base rate limit can thwart these attacks, preventing more than one request from occurring within a reasonable amount of time. Would a human being be able to enter their password four hundred times in one minute? Probably not. So why would an API accept such a high and unreasonable number?
Security is the art of managing risk, not eliminating it. No fortress is impregnable, but attackers tend to take the path of least resistance and target victims with poor security standards. Reduce your API security and be the target attackers know how to avoid.
Read next: Application Security Code Reviews: Best Practices