As companies navigate the changing landscape of APIs and microservices, it is important to remember that some constants in the software industry never change. The need for good security practices is one of those constants that should be built into every company’s strategy for building and maintaining a modern application. So how can you ensure that your program is taking the steps needed to protect your customers data? In this article we’ll go over the three most important steps in increasing your API security.
Step 1: Understand the Difference Between Traditional and API-Based Apps
The days of tightly coupled client server architectures has given way to the age of APIs and cloud services. So how does this affect security? The information being transferred from web servers to clients (web browsers), has changed. In traditional architectures, web clients sent http requests to receive HTML page responses. As the web progressed, html responses were augmented by XMLHttpRequests (XHR) requests returning json, XML, plain text, or html fragments. As business logic, template rendering, and router logic moved off of web servers and onto client applications, we saw the simultaneous adoption of API first strategies centered around pragmatic RESTful methodologies.
As the need for scalable systems rose, APIs were designed to be reusable across different consumers and types of consumers. Hence the modern day loosely coupled architectures involving many API consumer apps consuming many different API backends. API requests and responses now form the backbone of most modern architectures, comprising the vehicle by which most information flows in modern day systems. Identifying the flow of information in the form of API requests represents a good first step in understanding where to focus security efforts. The next step is to develop a strategy to identify vulnerabilities in these requests.
Step 2: Educate Your Team
Whether it's partnering with experts in the field to guide your program or building governance from the ground up, it’s important to incorporate industry standards into every aspect of your strategy. Stay up to date with current best practices, or find partners to bring that expertise to your program. Organizations such as the Open Web Application Security Project (OWASP) exist to provide guidance concerning modern day best practices. For example the OWASP’s recently released top 10 API security vulnerabilities represent a good starting point for evaluating your current security practices. The list is as follows:
A1: Broken Object Level Authorization
A2: Broken Authentication
A3: Excessive Data Exposure
A4: Lack of Resources & Rate Limiting
A5: Broken Function Level Authorization
A6: Mass Assignment
A7: Security Misconfiguration
A9: Improper Assets Management
A10: Insufficient Logging & Monitoring
Whether it’s designing your API system, implementing an API gateway, or setting up a developer portal, it’s important to maintain awareness of the most likely avenues of attack. How many of these vulnerabilities does your system protect against?
Step 3: Recognize the Impact of Good Security Practices
Knowing what data to protect and how to protect it, is only part of the process. Without recognizing the impact that good security has, development programs run the risk of sidelining security to meet demands brought on by limited time and resources. Find ways to quantify potential impacts that security vulnerabilities might have on your system. In addition, look to foster a culture that stays up to date with recent breaches. Staying up to date with specific examples of breaches helps to contextualize existing security policies, emphasizing their importance.
As an example, take the 2019 account takeover vulnerability that was found in Uber’s API. This vulnerability is a direct example of point three on the OWASP’s top 10 list. Excessive data exposure in the form of a user’s uuid was found to be returned in the error response for a certain API request. Using a test account, it was found that the uuid could then be exploited to track a user’s location and use their account to request rides. How might this vulnerability have been mitigated? Defining schemas for all API responses, identifying all sensitive information and justifying its use, and enforcing response checks are all examples of applicable mitigation techniques. The impact in falling victim to even a single vulnerability identified in the OWASP list above is plain to see.
Whether just starting out, or far along in your API development journey, understanding the impact of good security practices and partnering with security conscious professionals like those at Achieve Internet, will help ensure your API platform has the security it needs.