API security: A refresher
Application programming interfaces (APIs) are the pillars of today’s software creation. They facilitate smooth connections between various software platforms, ensuring data is exchanged and relayed effectively. However, with this increased connectivity comes a heightened risk of cyber threats.
A single vulnerability in an API can reveal confidential information, interrupt services, or even result in monetary setbacks. If you’re going to maintain your users' trust and the integrity of your systems, API security is critical.
However, API security isn’t a one-time task—it’s part of a continuous process that spans your entire software development lifecycle (SDLC). Your security measures must be integrated at every stage, from the initial design phase to deployment and maintenance.
Acting proactively on API security makes sure that any vulnerabilities can be detected and addressed right away, reducing the risk of exploitation. Let’s see how to make that possible.
API architecture components
Understanding the key components of API architecture is essential for implementing robust security measures:
Endpoints are specific paths or URLs where API services can be accessed. Every endpoint is linked to a unique resource or function.
Methods define the type of action that can be performed on an endpoint, such as GET , POST, PUT, and DELETE, which respectively retrieve, submit, update, and expunge data.
Data structures refer to the format and organization of data the API sends or receives, often in JSON or XML format.
Challenges in API security
Despite the best efforts, several challenges can hinder effective API security:
Rapid development cycles can put security considerations in the backseat when racing to deliver features quickly.
Legacy systems not designed with modern security standards in mind can introduce vulnerabilities when integrated with APIs.
Cyber threats are evolving. As security measures evolve, so do the tactics of malicious actors. Staying ahead requires constant vigilance and adaptation.
As APIs continue to play a pivotal role in modern software development, understanding their architecture, and being aware of the challenges are crucial first steps in ensuring their security. In the next part of this post we’ll delve deeper into best practices and advanced insights to fortify your API security strategy.
Why API attacks are the #1 worry for cloud security practitioners
Wiz and Procter & Gamble experts share their security insights and tips
Read more
API security best practices and recommendations
1. Continual API discovery
APIs can easily get lost in the shuffle in the vast software development landscape. Continuously discovering and cataloging APIs ensures you're aware of all active interfaces, reducing the risk of overlooked vulnerabilities. Regular audits can help identify and document all active APIs, to make sure they all adhere to security standards. One way to do this is using a tool such as API Fortress, which can automate the discovery process.
# Example code for API discovery
import requests
response = requests.get('https://api.yourapp.com/discover')
if response.status_code == 200:
print("API is active and discoverable.")2. Avoid shadow APIs
Shadow APIs refer to APIs that are deployed without proper authorization or that have been forgotten over time. Don’t underestimate the significant security risks these APIs pose to your system—they likely aren’t undergoing regular security checks. For example, an API endpoint /old_endpoint that was used for a beta feature but never removed can be a security risk.
It's essential to have a system to detect and manage such unauthorized or forgotten APIs. From there you can either bring them into compliance or decommission them.
3. Encrypt traffic in every direction
Data should be encrypted not only when it's traveling from the user to the API but also vice versa. This two-way encryption ensures data integrity and confidentiality. For instance, using HTTPS with a valid SSL certificate ensures encrypted communication.
In addition, to ensure secure data transmission, always use up-to-date versions of the Transport Layer Security (TLS) protocol. Current versions offer the latest security features and are less vulnerable to attacks.
// Example code to enforce HTTPS
if (window.location.protocol !== "https:") {
window.location.protocol = "https:";
}4. Authenticate and authorize everything
It's generally a good practice to authenticate all API requests to ensure they come from trusted sources. For example, using JWT (JSON Web Tokens) can provide a robust method for verifying user identity.
// Example JWT validation
const jwt = require('jsonwebtoken');
const token = JWT_TOKEN";
const secret = SECRET_KEY";
try {
const decoded = jwt.verify(token, secret);
console.log(decoded);
} catch(err) {
console.log("Invalid token.");
}OAuth (Open Authorization) and OIDC (OpenID Connect) are other tools that can come in handy. These are practical protocols that can provide secure access control. They allow users to grant third-party applications limited access to their resources without exposing their credentials.
5. Follow the principle of least privilege
Every user or system interacting with the API should only be granted the minimum necessary access rights for their given roles. For instance, using role-based access control (RBAC) can help you define and enforce these privileges. Following this least-privilege principle ensures that even if a malicious actor gains access, the potential damage they can inflict is limited.
# Example RBAC check
def has_permission(user, action):
roles = user.get_roles()
for role in roles:
if action in role.permissions:
return True
return False6. Be diligent about API documentation
Outdated API documentation can lead to misuse or unintended vulnerabilities. If you make any changes to an API, you need to reflect those changes in your documentation. Every endpoint, including those meant for internal use, should be documented. This ensures developers are aware of the correct usage and potential risks.
To make that easier, tools such as Redoc can provide interactive API documentation. Tools such as Swagger can auto-generate documentation, ensuring consistency and comprehensiveness.
7. Validate your data
Malicious actors often use injection attacks to introduce harmful data via APIs. Implementing strict validation can prevent such attacks. Using libraries like express-validator in Node.js can help in input validation.
// Example input validation
const { check, validationResult } = require('express-validator');
app.post('/user', [
check('username').isAlphanumeric(),
check('password').isLength({ min: 5 })
], (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Continue processing
});Ensure that the data structure and size adhere to predefined schemas. This can prevent buffer overflow attacks and other potential vulnerabilities.
8. Limit Data exposure
Limit the data returned by the API to only what's necessary for the function. Excessive data exposure can lead to unintended breaches. Data such as passwords, credit card numbers, and personal identification information should always be encrypted, both at rest and in transit.
Using ORM (Object-Relational Mapping) tools can help filter out sensitive data.
9. Better API management
Distributed Denial of Service (DDoS) attacks can overwhelm an API, causing service disruptions. Implementing measures such as rate limiting and using content delivery networks (CDNs) can mitigate such threats. In addition, API gateways act as a protective layer, controlling and monitoring access to the API. They can help in rate limiting, caching, and other essential functions. Cloudflare is another resource that can help mitigate DDoS attacks.
10. Test your APIs regularly
Regular vulnerability assessments can identify weak points that have the potential for attackers to exploit. These tests should ensure that there are no configuration errors that might expose the system to threats, both in the API and supporting workloads.
Nuclei is an open-source vulnerability scanner that can be used to test APIs against known vulnerabilities and misconfigurations. It is a fast and customizable tool that uses YAML templates to describe how to detect specific security vulnerabilities. Nuclei can be used to test APIs for a variety of vulnerabilities, including:
Broken authentication and session management: Nuclei can test for vulnerabilities such as weak passwords, insecure session tokens, and missing authentication checks.
Cross-site scripting (XSS): Nuclei can test for XSS vulnerabilities in web APIs.
Injection vulnerabilities: Nuclei can test for SQL injection, command injection, and other injection vulnerabilities in web APIs.
Insecure direct object references (IDOR): Nuclei can test for IDOR vulnerabilities in web APIs, which allow attackers to access resources that they are not authorized to access.
Missing function level access control (MFA): Nuclei can test for MFA vulnerabilities in web APIs, which allow attackers to execute unauthorized functions.
11. Diligent API key management
API keys are like passwords for APIs. It's crucial to safeguard them diligently. Rotate your API keys regularly to prevent unauthorized access, and consider using short-lived tokens for added security.
You can also use environment variables or secret management tools can help securely store your API keys:
# Example of using environment variables for API keys
import os
API_KEY = os.environ.get('API_KEY')It takes a multifaceted approach and continual effort, but following these best practices you can secure your APIs and strengthen your organization's overall security posture.
Automatically discover and secure your APIs with Wiz Dynamic Scanner
Wiz enhances its Dynamic Scanner to detect publicly exposed, unauthenticated APIs
Read more
Taking API security beyond the basics
API security is a dynamic field, with the threat landscape constantly evolving. The best practices outlined in the previous section form the bedrock of a robust API security strategy, but it's essential to stay ahead of the curve by delving deeper and adopting advanced measures.
While the foundational best practices are crucial, going beyond the basics sets apart a good API security strategy from a great one. Wiz can help you do that with continuous monitoring that works across all your cloud resources, so you can pinpoint vulnerable areas, such as APIs, that can pose a threat to your deployments.
Find out more by signing up for a Wiz demo and get hands-on experience with transforming your API security approach.
Learn how with Wiz, customers can now simply answer the question of where do I have exposed APIs in my environment with all the context associated with the execution environment.
Other security best practices you might be interested in:
