API Security 101: the basics
As promised over the next little while, we will share our learnings and thoughts regarding API Security. This first blog post will cover the essentials, with more detailed and specific elaborations, such as contemporary weaknesses, to follow later as they arise or otherwise become relevant.Scroll to next section
What are the basics?
API security is a crucial aspect in ensuring the safety and integrity of data and systems within an organisation. API, or "Application Programming Interface", is a set of protocols and standards that allow different software systems to communicate and exchange data with each other (link to API blog).
This involves protecting against unauthorised access, misuse, or attacks on systems and the data they transmit. Some key aspects include authentication and authorisation to an API, which verify the identity of the user or system requesting access, and ensure that they have the necessary permissions to access certain data or perform certain actions. Other security aspects include encryption and secure communication, which protect the data transmitted through the API from being intercepted or modified by unauthorised parties.
Why is this so important?
API security is important because APIs play a vital role in the functioning of modern organisations. They enable data exchange and integration between various systems, and enable businesses to offer various services and products. If security is not up to standard, it can lead to serious consequences such as data breaches, loss of sensitive information, and damage to an organisation's reputation.
Good practice framework when starting out: OWASP
As with anything you need to delve into, it is helpful to have a trusted and proven framework for guidance.
In 2004, a not-for-profit organisation was founded, to work on a common approach to attacks on web-applications. With the internet taking shape as a key resource in modern life, many old web-applications were not coded securely. OWASP tasked itself with guiding secure coding practices going forward, and providing insights into secure coding practices.
Famously, OWASP regularly put out a top 10 web-application security risks. They have also issued a top 10 for API security risks here.
This top 10 is our most important guide to securing our own API. If 10 sounds like a lot to you, we would definitely recommend starting with:
- API2:2019 Broken User Authentication, about incorrectly implemented authentication mechanisms
- API3:2019 Excessive Data Exposure, about sharing too much information; and
- API9:2019 Improper Assets Management, about not managing documentation and further management practices around APIs properly
Current challenges of API security
One of the current challenges is the increasing number of APIs being used in modern organisations. With the proliferation of cloud-based and microservice architectures, organisations are relying more on APIs to integrate various systems and enable data exchange between them. This leads to an increase in the number of potential attack vectors for hackers to exploit.
Another challenge is the lack of standardisation in API security practices. While there are some established best practices and frameworks, such as the OpenAPI Specification, and OWASP as mentioned above, organisations may still have different approaches to securing their APIs, making it harder to ensure the overall security of the system within the organisation as well as the supply chain of data that third parties rely on.
A recent example of what can happen if an organisation does not understand what APIs are out there on their behalf, is Optus. It appears that one of the enablers of the recent data breach is that they likely had no idea about at least one API. And, what you don’t know about, you can’t secure.
In the future, we can expect to see more advanced and sophisticated API security solutions being developed to address the current challenges. These may include the use of machine learning and artificial intelligence to detect and prevent attacks, as well as the adoption of industry-wide standards and frameworks for API security. There may also be an increase in the use of decentralised and blockchain-based technologies to enhance the security and reliability of APIs.
Some of these future expectations are easier to fulfill than others. Should relevant industry communities, fora and regulators be willing and have critical mass behind them, there are good standards to adopt that are readily available. This could address the lack of standardisation. Technological advancements in the areas of machine learning, artificial intelligence and blockchain notwithstanding, concrete and optimal API security technology that leverages these does not exist yet, as far as we know. The recent commotion around Chat GPT has shown us though, that these technologies are developing at high speed. Which means that hopefully they are soon able to assist us all in the security rat-race regarding APIs.
What do we think about API security?
Overall, we feel that API security is a crucial aspect that needs to be taken seriously by organisations in order to protect their systems and data from potential attacks and breaches. With the increasing reliance on APIs in modern business, it is more important than ever to ensure that they are properly secured and protected.
We try to lead by example, by using tools to check that our own API is not exposing common weaknesses. We have also checked ourself against the OWASP top 10, to ensure we are not leaving any obvious area of API security out. Of course, in a more generic sense, we have our ISO 27001 certification as well.
Even though we only pass on information and never store it (except for ‘in memory’ when required), we are mindful we could be subject to a 'man-in-the-middle attack' and our API could be seen as an entry and data exfiltration point. Therefore, we try to be more secure than most other integrators out there, thereby making it more difficult to intercept information from us than from others.
As with the old adage around securing your house by putting more locks on the door than your neighbour to deter burglars, so far, this approach has been pretty effective for us.
What are your main questions regarding API security? Please let us know here and let’s discuss!