API security is an overarching term referring to practices and products that prevent malicious attacks on, or misuse of, application program interfaces (API). Because APIs have become key to programming web-based interactions, they have become a target for hackers. As a result, basic authentication, requiring only user names and passwords, has been replaced with various forms of security tokens, such as those used by multifactor authentication (MFA).
Importance of API security
Cyberattacks are on the rise, particularly through the use of compromised identities and APIs. Some attacks that could be inflicted on APIs include: man-in-the-middle attacks, parameter attacks and identity attacks.
As a result, many of the largest web service providers are requiring partners to increase security measures, including the use of MFA, a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. Such service providers include Amazon and Microsoft, which in August 2019 began requiring its cloud solution provider program partners, control panel vendors, and advisor partners to enforce MFA for each user, including service accounts.
Implementing API security is important because it can prevent attacks, such as cross-site scripting (XSS) and SQL injections, as well as shield sensitive data from breaches. Overall, API security is vital to the successful and secure performance of APIs and the programs they support.
How does API security work?
API security relies heavily on authentication and authorization. Authentication is the first step in API security. Authentication refers to verifying that the client application possesses a safe identity and is allowed to use the API. Authorization is a subsequent step which involves making the determination of what data and actions an authenticated application can access while interacting with the API.
In addition to properly implementing a secure authentication and authorization system, APIs should be developed with other protective features to reduce the system's vulnerability to malicious attacks during API calls.
The API developer is responsible for ensuring their constructed API successfully validates any and all input from users collected during calls. Utilizing prepared statements with bind variables is one of the most effective ways to shield the API from SQL injection. The language used to write the API frequently contains functionality that can assist in this security measure.
Throttling is also an effective API security practice because it enables the management and limitation of a client's access to data. Through the use of throttling, irregularities in a client's use of the API can be measured and an extra layer of security is created between the client and sensitive data.
API security types and tools
API managers: API managers oversee APIs in a secure, scalable environment. The goal of API management is to allow organizations that either publish or utilize an API to monitor the interface's lifecycle and ensure the needs of developers and applications using the API are being met.
Open Authorization (OAuth): OAuth is an open standard for token-based authentication and authorization on the Internet. OAuth allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password. OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called a flow.
MFA: As noted above, MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Transport Layer Security (TLS): TLS is a protocol that provides authentication, privacy, and data integrity between two communicating computer applications. It's the most widely-deployed security protocol used today and is used for web browsers and other applications that require data to be securely exchanged over a network, such as web browsing sessions, file transfers, VPN connections, remote desktop sessions, and voice over IP (VoIP).
Security Assertion Markup Language (SAML): SAML is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data, and SAML provides a framework for implementing single sign-on (SSO) and other federated identity systems.
Challenges of API security
Challenges faced with API security include:
- Different from web applications (web apps) - Since APIs operate and react in completely different ways than web apps, their security landscapes and infrastructures must be thought of in ways unique to their behavior.
- Additional challenges with service APIs - Some cloud-based software as a service (SaaS) is only available through APIs; these are service APIs. Service APIs create security challenges because they deal with data in high volumes and vary in security and authentication models.
- Unique applications - All applications are different, but in order to secure an API, the design must be understood. Understanding the design involves reading and sorting through layers and variations of code that change based on technology and human differences.
- APIs can help attackers hide - APIs introduce new file formats, protocols and structures in their performance. These new and varied pieces make it easier for hackers to obscure well-known attacks, such as XSS or SQL injection.
- Internal APIs require protection - APIs can also be used internally, or within the same system. This different use of APIs requires new security considerations and a possible overhaul of existing security infrastructure.
- Clogged pipelines - Developers and DevOps teams are responsible for providing security teams with information on what specific API endpoints do and how they operate; however, this information is frequently lost in cross-functioning communication, making it impossible for security teams to fully understand the API they are working with.
- Accidental backend visibility - If not properly monitored and secured, APIs can mistakenly provide attackers with access to the backend functions of applications.
REST API security vs. SOAP API security
As stated before, there are two main types of APIs: SOAP APIs and REST APIs, or RESTful APIs.
REST APIs are more modern while SOAP APIs have been around longer and are vastly implemented. Both types of API display data with HTTP requests and responses; however, the formats and syntax they use to do so have major differences. Both APIs also support Secure Sockets Layer (SSL) for data protection throughout the transfer process, but additional features also differ between the two models. Therefore, security in SOAP versus REST APIs depends on the format and semantics used in each one.
Since SOAP APIs have been around longer than REST APIs, extensions have been added to SOAP that deal specifically with transactional messaging for certain security considerations. The use of SOAP in large enterprises allows the API to benefit from W3C and OASIS recommendations, specifically XML-encryption, XML-signature and SAML tokens.
SOAP also offers superior support for Web Services specifications. The WS-ReliableMessaging specification provides SOAP with built-in communication error handling and the WS-Security specification enables enterprise-level security protection.
On the other hand, REST APIs do not include any specific security patterns or features. This is mostly because the API focuses on how to deliver and consume data rather than on how to build security and safety into the communication process. It should not be assumed that their security measures come out of the box. Therefore, close attention must be paid to implementing security in code by developers utilizing REST architecture patterns, deployment and transmission.
Furthermore, while WS-ReliableMessaging provides built-in error handling for SOAP APIs, REST APIs must resend the data whenever an error occurs.
If sensitive data is being managed, such as bank accounts and credit records, then SOAP may make the most sense when choosing an API model. However, the true strength of API security depends on how the API is implemented. A REST API that has been securely constructed and implemented will be safer than an ill-designed and poorly implemented SOAP API.