If you had to guess, what would you say are the API security best practices that every dev team should know by heart?
API security starts with understanding API security risks. The best preventative measures are built with an intimate knowledge of specific threats in mind. Your web API security and API protection should be responding to the material realities of your operation.
Here are nine tips for securing web API best practices.
Getting Started With API Security
Where should API security best practices start? The core of API security is recognizing just how common API threats really are. API intermediaries are being used by everyone from Google to the latest startups. This means that potential threats to web API security can’t be ignored.
Whether you’re looking to improve your secure API calls or you need a primer on where to start, these 9 tips will get you started with API security.
1. Know Your API Security Risks
Securing web API best practices starts with knowing your threat vector. APIs have gone from the sidelines to the star player of digital communications. This has also made it a target for hackers looking for easy exploits.
Common attacks like credential stuffing, injection, cross-site scripting, and others are just a few of the things that your team needs to be aware of while building their code. Each of these different attacks approaches APIs in a unique way and requires a different security response.
You also need to consider the type of information that your APIs will be handling. Threat modeling looks very different if your APIs are transmitting personal information than it does for APIs that handle financial information. Other factors like the frequency of secure API calls, user request-levels, and the physical technology your servers use all come into play when planning out your API security.
Once you’ve got your basic threat modeling down, it’s time to start implementing.
2. Use TLS (And Upgrade Any Old SSLs)
TLS stands for Transport Layer Security and is the newest standard for encrypting information. TLS has replaced SSL as the latest model for encrypting information that runs through your APIs. Every API should either be built with TLS or be upgraded to TLS as soon as possible.
You can easily spot which web addresses aren’t using TLS. They start with the classic “http:” instead of the TLS version: “https:” Users are even beginning to run plug-ins that block all SSL websites in favor of the safer TLS versions. This means your team is losing market share by not upgrading your security features.
TLS requires independent certification by a third party. The good news is, in most cases this certification is already baked in. If you’re using Amazon Web Services, for example, your TLS certification will be included as part of those services.
3. Consider a Least Privilege Design
An easy tip for API security best practices is to design with a least privilege mentality in mind. What does this mean?
Least privilege simply means that each device, user, and program only has access to as much information and utility as it needs to complete a given range of tasks. Privilege is defined by the functionality a particular user requires.
Overextending the privileges of your API means running the risk of having an unintentional security exploit. Most users are going to require a narrow set of privileges that give them access to a few essential functions. The rest should be reserved for team members on a needs-based basis.
4. OAuth and OpenID
Passwords are a classic vulnerability that all APIs share. The more passwords that you have to manage, the more risk there is of losing them. Housing a lot of passwords also makes you a potentially juicy target for someone looking to steal information.
So, how can you get around housing tens of thousands of passwords? OAuth and OpenID are tools that have changed the game. Now, your team can transfer the authentication over to a third-party server.
OAuth and OpenID allow users to log in using credentials from trusted sources like Google, Amazon, or Apple. This means no dedicated password for your APIs. It also means that the security risk is transferred over to larger tech companies with more resources.
5. Always Validate Data
Your services are going to be sent a lot of data every minute of every day. One of the most important things you can do is ensure that data is always validated and authenticated by the parameters that you set for your API.
Your servers are going to be vulnerable to a variety of attacks including SQL injection and XML bombing if they’re not validating and authenticating the data they receive. One simple thing you can do is make sure that data matches the variable type that it’s been assigned to. Strings should be strings and variables should be variables.
You should also protect your server against packets of data that are far larger than they should be for the variables assigned to them.
6. Set a Rate Limit or a Throttle
Now we need to talk about a specific kind of attack that even the biggest companies are vulnerable to. This is called a distributed denial-of-service attack or a DDOS attack. This attack is accomplished by overwhelming servers with requests for data that will ultimately cause them to crash.
One way you can mitigate this threat is to throttle or set a rate limit. It limits the amount of requests your servers can receive based on a parameter that your team chooses.
Here’s one way you can implement a rate limit. Let’s say you realize that users typically only send 100 unique requests per day with high-volume users only reaching 1,000 requests each day. If you set the throttle limit at 5,000 requests per day, you’re likely not going to impact your average user while limiting the amount of risk you have from a DDOS attack.
You should also consider the physical hardware and the software you use for your servers and how much data they can handle.
7. Always Authenticate
Would you open an email and click a link from someone you didn’t know?
You probably said no to that question and for good reason. It protects your personal security and limits your risks by not accepting unknown contacts. Your server should be doing the same thing.
Always authenticate information that’s coming to your server. The easiest way to accomplish this is simply setting up a password-based authentication system. Your team can also implement API Keys, such as asymmetrical keys, to boost the strength of this authentication.
8. Stay Up-to-Date
This one should be a given, but it is important to address it nevertheless. You need to make sure that you’re always up-to-date for the latest software, security standards, and hardware.
We all expect end-users to keep things up-to-date to improve their security, but our own teams often don’t live up to these standards. Keeping the software, and hardware, that our dev teams use up-to-date is a key part of security. We need to live up to the standards that we are setting for our users.
You need to build this downtime into your scheduling. The time it takes to update programs, and the hardware they run on, should be a routine part of your development process.
9. Consider What Dev Teams Leave Behind
Building out new software is a lot like constructing a building. During the construction process, crews often have tools and other valuable equipment that they leave on the job site. Dev teams do the same thing by leaving passwords and other vulnerable information in the software they are coding.
Just like you wouldn’t want to leave any tools in a finished home, you also don’t want to leave any passwords in a finished product. You should perform layered sweeps of the final product to make sure that there is no valuable information that’s been left behind by the dev team.
Wrapping Up Our API Security Best Practices
Knowing the basics of API protection is a must for any modern dev team. API security risks have gone from occasional problems to serious hazards for both end-users and the companies that maintain websites and apps. Building a better security culture, starting with securing web API best practices, helps everyone avoid serious losses.
The first step towards API security starts with learning about threats and mitigation. This article was your first step, but where will your team go next?
