-2@2x.png?width=408&height=98&name=Final%20Logo%20White%20(1)-2@2x.png)
Date: 19 August 2024
As interconnected apps and microservices have become the norm in the tech world, cyber teams need to include Application Programming Interface (API) security in their list of priorities. One of the most vulnerable aspects of cloud-based applications is the API, which serves as an intermediary between different applications, between connected services, and between frontends and backends.
APIs allow different apps and components to communicate with each other, but they also open possibilities for cyber attacks. APIs can be subjected to brute force attacks that aim to break authentication and authorization mechanisms. Threat actors can also use different kinds of injection attacks and other adversarial tactics to exploit vulnerabilities in APIs.
Apps are a treasure trove for threat actors, because they can contain sensitive data and are often viable attack targets because of rampant vulnerability neglect. One recent study found that 74% of assets with PII are vulnerable to at least one known major exploit, and only half of APIs are protected by a WAF, the most basic defence measure.
In this article, we take a closer look at a few of the most pivotal aspects of API security that enterprise cyber teams need to address.
1. Input Validation
2. Rate Limiting and Throttling
3. API Endpoint Security
4. Encryption
5. Error Management
6. Logging and Monitoring
Input Validation
Input validation refers to the sanitising of data received by an API. This validation is important, because hackers can use certain combinations of characters or words in inputs to bring out unexpected responses. For example, in SQL injection, the attacker introduces a malicious script or code that is accepted by the API and executed in the backend database. The malicious code can result in access to sensitive data, the modification or deletion of data, or the execution of arbitrary commands.
To ensure that inputs do not become threats to APIs, it is important to parameterise queries or establish formats in the queries that can be accepted by the API. Additionally, the allowed inputs can be restricted to specific sets of characters to prevent the API from accepting inputs or character strings that can be interpreted as commands and executed in the backend.
Moreover, organisations can use API security solutions that accelerate the process of validating and sanitising inputs. These tools can automate data type checking, the validation of input length and format, input filtering, and the character encoding. These tools expedite the process of determining which expressions or strings of characters can cause anomalous actions. They aid the setting of allow lists and block lists for characters or patterns used in inputs, effectively preventing instances wherein malicious scripts are taken in by the API as valid inputs.
Rate Limiting and Throttling
As the phrase suggests, rate limiting is about imposing restrictions on the number of requests that can be made over a specific period. This is comparable to the limits on the number of times a login attempt is allowed. It is a way of ensuring that the login attempts or requests made are legitimate, given that it should not take too many times to successfully sign in to an account or complete a task in line with the requests made to access specific resources.
Additionally, rate throttling can be implemented to reduce the speed of the responses to requests. Rate limiting and throttling create a major obstacle to bots that automate attacks on APIs. They prevent brute force attacks which can only succeed if there are no hindrances in doing an action repeatedly and in rapid succession.
For example, allowing hackers to try out different API keys and credentials again and again could eventually give them access to your full database. If cyber teams purposely impose rate limits, the speed of such an attack is significantly diminished, making brute force attacks non-viable or impractical for perpetrators.
API Endpoint Security
API endpoint security entails the protection of specific paths where API requests are processed. This is a crucial aspect of API security, because it concerns the protection of the point of contact between applications and services – which can otherwise be targeted by injection attacks, data bombardment, and the exploitation of misconfigurations and insecure deserialisation.
As apps communicate with each other through APIs, sensitive data are usually exchanged at API endpoints. This sensitive data might even include login credentials, tokens, permission, or metadata about the rest of the data in the apps. This makes API endpoints a natural target for threat actors. The failure to protect these data can have serious consequences on the integrity of apps and web services. Also, malicious actions happening at the API endpoints can result in the disruption of API services.
It is advisable to implement continuous API endpoint security to ensure that there are no opportunities for threat actors to launch attacks such as SQL injection, mass assignment, or the other threats mentioned in the OWASP API Top 10.
Encryption
Encryption is often regarded as a cornerstone of API security. Data should be encrypted not only at rest but also in transit. Databases, data in file systems, secrets and keys, and various other data should be encrypted. Also, data being transmitted should be protected through HTTPS, Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
Organisations must make sure that they are using the appropriate encryption algorithm for their specific requirements. In API security, encryption can be symmetric or asymmetric. The most common algorithms applied are Advanced Encryption Standard (AES), ChatCha20, Rivest-Shamir-Adleman (RSA), and Elliptic Curve Cryptography (ECC).
It is also advisable to use longer key lengths for maximum security. Additionally, there has to be an organised management system of digital certificates for HTTPS.
Error Management
The handling of errors may sound trivial, but it is a crucial aspect of API security, because improper error handling can accidentally reveal sensitive data to the public. Whenever software errors are encountered, it is compulsory for details about the error to be displayed to help in problem diagnosis and resolution.
However, if the error message displays too much information, the sensitive data that is unnecessarily divulged can be used by threat actors to attack the application. For example, the error message may show details about system configurations, internal error codes, and database schemas. This information can help attackers tweak or rethink their attack strategies to overcome defences.
It is advisable to stick with generic error messages that provide just the right amount of details to help troubleshooters. Detailed error logs can be shown, provided that sensitive data is redacted accordingly.
Logging and Monitoring
It is important to observe comprehensive API activity logging and monitoring as part of API security. Logs are helpful in establishing app usage patterns to make it easier to spot malicious activities.
Preferably, logging and monitoring should be continuous and conducted in real-time to be able to respond promptly to potential threats and implement mitigation measures readily.
It is not possible to keep all detailed logs, though, so it is important to adopt a suitable data retention and removal policy. When it comes to log analysis, it helps to aggregate data and centralise analysis and correlation. It would also be prudent to have a system that sends out alerts for critical incidents.
Conclusion
Authentication and authorisation are key aspects of API security, but they are just two of the many important concerns organisations need to take into account in planning API security. It is equally important to ensure proper input validation, rate limiting and throttling, API endpoint security, encryption, and error management. Also, it is crucial to continuously monitor API activity and keep comprehensive, detailed logs to support prompt threat detection, investigation, and response.
