APIs are great, they are everywhere and they grow. When thinking about API security very often very basic security mechanisms are missing. This article is about the very minimum frist steps you should always take:
First steps to think about
- Only expose the parts of the interface which are necessary, not the entire API
- Only collect and publish the data which is really necessary
- Only grant access to people/systems which need it
- Switch sides and think like an attacker ("Write a black mirror episode about your API", Keith Casey 2019)
API gateway
Use API gateways, because they take care of:
- Lifecycle: In which state is your API? How was it designed and built? To which gateways is it published and is it live & available?
- Interface: What does it expose? Which resources, methods, objects and fields?
- Access: Who can use it? Which users or groups, which authentication, which clients, which contexts?
- Usage: How to succeed with it? API documentation, debugging and errors, tracking usage, examples & sdks?
- Business: How does it drive business goals? Partner CRM, marketing, business analytics
API gateways like apigee, kong, apache apisix, krakenD, the list is long. Great overview about open source api gateways: https://www.predic8.de/open-source-api-management-kong-tyk-fusio-umbrella-wso2.htm
API Access
Use available standards like OpenID connect. Don't just use OAuth Core, but instead the OpenID connect, because you'd probably missing a lot of different additional important standards. A list of the few common OAuth/OIDC specifications may show why:
Input validation
There are so many different attack vectors. One of the most basic yet so often missing things is good input validation, which helps stopping classical attacks like XSS, injections, deserialization and so on. But it also stops breaking the programms intention or in other words its business logic.
Input validation should be applied in the enforcment of correct syntax (e.g. SSN, date, currency symbol), so the syntactic level and for semantic validation to enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range).
There is so much more
- https://owasp.org/www-project-api-security/
- https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
- https://attack.mitre.org/techniques/T1106/
- Regularly updating your systems of which the api is built on
- Harden your systems, applications, middleware, runtime-environment and interfaces of which the api is built on
- Do regularly penetration testing and vulnerability scanning
- Enhance and regularly review logging & monitoring including automized alerts based on thresholds
