Application Programming Interfaces (APIs) form the bridges between applications, enabling programs to communicate with each other across disparate codebases and hardware, but in the wrong hands, APIs can cause potentially huge damage.
Enterprises should implement the following strategies as soon as possible to cope with the more severe API security posture.
Table of Contents
Build for future users, not today’s users
APIs are often designed to meet the needs of a small group of developers working together when they are first starting out. These developers know each other and might even share an office space, and they may feel that they don’t need to implement an identity verification protocol to determine their identities. Why would they do this? Soon, a particularly useful API emerges from the team and enters into a wider user network than was originally anticipated. The appropriate security measures should be deployed before the vulnerabilities arise, rather than long after.
Limit users
Speaking of future users, plan for more users if possible, but with less control. Authorizing access on a strictly need-to-know basis, more users means a larger cyber attack surface, especially if permissions are not clearly and thoroughly defined.
Restrict the data
The Equifax data breach raised concerns because the company holds the private financial information of nearly 150 million Americans. Fortunately, not every company’s business model requires collecting social security numbers, driver’s licenses, addresses, and more. Data collection is strictly tailored so that only the most necessary data is required, while uncollected data is protected.
Encrypted data
Make sure the communication path uses an appropriate encryption protocol, such as SSL or TLS. Likewise, data at rest should be encrypted, which is obvious, but because accounts and passwords are stored in plain text, data breaches often occur. As you can see, encryption alone is not enough, it must also be used correctly. Certain protocols, such as TLS, allow cryptographic verification to be disabled on the server or client, leading to the potential risk of Internet traffic being intercepted. Businesses need to ensure that APIs are compliant with the latest security best practices to keep communications safe and secure.
Set pagination limits
Without proper API paging, server queries may return one result or a large number of results. The latter case quickly consumes system resources and stops the application. Worse yet, it doesn’t require malicious actors to do harm — innocent users may build queries too loosely and receive surprising responses. Fortunately, paging is easy to implement, in its simplest form offset paging, which provides the user with a window of predefined records that can be retrieved. Other forms of paging include keyset and seek, each of which has advantages and disadvantages.
Using Prepared Statements in SQL Queries
SQL code injection is a very common attack that enables cyber attackers to impersonate other users, compromise databases, or steal data. As the name suggests, cyber attackers sneak SQL code into database queries, usually by exploiting escape characters that a properly configured server should filter out. Prepared statements prevent an attacker’s ability to inject SQL code by using placeholders that can only store specific values rather than pieces of SQL. Another way to prevent SQL injection is to ensure that the data input is as expected, for example, phone numbers should be registered as integers and not contain strings; names should contain letters, but not numbers.
Enhanced end-user and application authentication
For users accessing the application, implement a routine password reset policy in accordance with the latest security best practices. For the application itself that interacts with the API, use unique credentials for each version of the application, making it easier to root out outdated versions.
Implement interest rate restrictions
A brute force attack occurs when a cyber attacker sends a large number of login credentials to a server to be successfully matched by pure chance. Basic rate limiting prevents these attacks by preventing multiple queries from occurring within a reasonable time frame. Can a person enter a password hundreds of times in a minute? Probably not. So why would the API accept such a high number?
Safety is the art of managing risk, not eliminating it. No fortress is impenetrable, but cyber attackers tend to move along the path of least resistance and target victims with poor security standards. And businesses need to improve API security and avoid being targeted by cyber attackers.
