Secure your APIs — don’t give hackers a chance!

Introduction

The use of APIs is now ubiquitous, and the “API economy” is well and truly established. From cloud-based services, back-end services for mobile apps, internal server-to-server services, microservices and even AJAX-based web front-ends, APIs connect and rule.

As a result, and especially with the online exposure of online banking and other financial services, APIs are increasingly becoming targets for cybercriminals.

This article focuses on APIs exposed to external clients over HTTP using REST-type protocols. (It is assumed that HTTPS is the actual protocol used for all exposed REST APIs.)

API scope considerations

Before delving into the details, you should examine the scope of your API use, as this will influence the security requirements. 

Scope considerations include:

  1. Is your API designed for access by a specific client type (e.g., mobile app) or for more general use from a variety of client types?
  2. Is personal or sensitive data to be exposed? This requires, at a minimum, strong authentication and authorization mechanisms
  3. Do you want your API accessible from client-side JavaScript? (In which case, you must look at enabling and securing Cross-Origin Resource Sharing)
  4. Are the APIs accessible only by internal systems? You must assume that even here, the same authentication principles apply as for externally exposed services
  5. For high security, consider splitting your API between an exposed front-end service and non-exposed servers, with the real API functionality on the non-exposed servers. Use encrypted secure communication between the two parts

API security considerations and tips

As an API provider, you should consider at minimum the following areas in API security:

  1. Authentication
  2. Authorization
  3. Audit
  4. Responses
  5. Whitelisting
  6. Rate limiting

1. Authentication

This is identification of the API caller. In some cases, authentication is not required; for example, this applies to some public information services, such as weather reports. However, authentication (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/2z4R_e9aYG0/