3 minute read
How to build an API with security in mind
from EC-MEA June 2023
A business should protect their API endpoints by using an API gateway that provides robust authentication, authorization, and continuous auditing capabilities.
Application programming interfaces (APIs) are the preferred means of connecting modern applications and have become an indispensable part of application development. Businesses rely on them to share data with developers, third parties, and customers. However, the data they handle and the endpoints they access also make them an attractive target for hackers looking to illegally access sensitive organization data.
While you can add security features to APIs during or after deployment, it’s often not enough. To properly secure them, you need to include security in the design phase and build it from the ground up. This gives you a better chance of protecting your API from threats.
Build APIs with a security foundation
Security is a constantly evolving challenge. Cybercriminals are always looking for new ways to exploit vulnerabilities to their benefit. This is why it is important to consider security requirements from the beginning. You must deliberately design what should and what should not be allowed rather than trying to patch things further on in the process.
Design security
Building a secure API starts before a developer writes their first line of code. It begins when they design how the API will work, who it will serve, and what information it’ll carry. So, this should be addressed before development is in full swing. Thinking about it this way allows for the seamless application of security controls and practices as you build the API. One group that is almost always going to be affected by additional API security measures is the users. For instance, some security measures will require them to provide their credentials regularly. This jumping through hoops degrades the user experience. That’s why engaging users in the initial design stage is essential.
Security focal points
There are three focal points that a developer has to consider while creating a secure API. They include authentication, authorization, and auditing. Let’s discuss what each one entails.
1. Authentication
Authentication involves determining who a user is. Some methods that can be used to authenticate API users include API keys, HTTP basic authentication, OAuth authentication, and Multi-Factor authentication (MFA).
l HT TP basic authentication: This involves combining a username and a password, encoding them, and including them as a special HTTP header in every request. Before a server can process a request, it verifies the client’s identity using the sent credentials.
l API key authentication: This involves including a key with a long series of numbers and letters in the header of every request. The server grants an API key to each user and identifies the client making that request using their API key.
l OAuth authentication: This mechanism generates a token for each client once they login into a system. The client then uses that token to identify themselves to the server while making requests.
l Multi-factor authentication (MFA): This method sends a one-time password (OTP) to clients wishing to access the API via push notification or SMS. The most commonly used OTP is the timebased one-time password (TOTP) which is only valid for a limited time. A robust authentication mechanism should confirm the identity of clients making API requests reliably, safely, and quickly. Additionally, it should rely on more than just usernames and passwords.
2. Authorization
API authorization involves determining what an authenticated user can access and making it available to them securely. The process involves checking if the client making a request has permission to perform the requested action.
Broken Object-Level Authorization (BOLA) and Broken Function-level Authorization (BFLA)–both included in the OWASP API Security Top 10–can pose serious security risks to an API.
Broken Function-Level Authorization (BFLA) occurs when an API fails to properly enforce access controls on specific API functions or operations, allowing a client with restricted privileges to gain unauthorized access to them.
3. Auditing
Logging and auditing all client requests is a critical component of API security. It allows you to analyze incoming traffic and identify usage patterns. You can use such data to identify attacks and evaluate their impact.
The lack of a proper audit system can make you miss attempted and successful attacks. That’s because hackers can successfully execute an API attack without triggering any security alerts. Therefore, continuous auditing is critical in monitoring and improving an API’s security posture.
Software AG API Security
Software AG helps companies build secure and reliable APIs. Its webMethods API Gateway enables companies to expose their APIs endpoints securely. It makes it possible to securely connect their backend to third-party developers, partners, and consumers.
webMethods API Gateway supports REST-based, SOAP-based, GraphQL, and OData APIs. It provides complete run-time protection and a web-based user interface to perform API-related tasks.
The increase in API attacks has made API security so critical that businesses can’t afford to make it an afterthought. They have to consider security in the API design stage because it minimizes the chance of a successful attack. ë
