Sachin Agarwal

(Posted first on Wired Insight blog)

As APIs have experienced ubiquitous adoption across IT and business, the opportunities for innovation and new business use cases are limitless.  So many creative new business models have emerged from new uses of APIs that we’ve collectively coined the term “API Economy” to describe what’s happening.  APIs are here to stay. They are easy to use, can be easily self-provisioned by developers without “parental guidance,” and can be monetized and licensed by the API provider – a win-win situation for both.

The model mostly works, except when the hustle to publish an API or roll out the first App leads one to neglect thinking about the ramifications of being hacked. Many organizations embark on deployments without a full understanding of the various attack vectors that their API can be vulnerable to. In recent years, large enterprises have experienced cyber attacks and hacks compromising millions of records and permanently damaging the reputation of these businesses. You can find my analysis of the recent Snapchat API hack here.

In this post, I will highlight areas of risk mitigation that businesses should be aware of as they start opening up their digital channels. While it is critical that technologies assist in accelerating the pace and opening up additional opportunities in this digital economy, all the topics I discuss below should be given a thorough review. Hackers are always looking for opportunities to compromise the weakest link in your digital channel strategy.

Authentication and Authorization: The simplest and most common control is to validate who is accessing your API (Authentication) and whether the user has access to the resources that are being requested (Authorization). This can quickly get complex due to the different kinds of standards that you might need to support, like OAuth, OpenID, OpenID Connect, SAML, X.509 etc. Of these, OAuth is one that is most popular, but is relatively complex and needs deeper understanding. Another important aspect of API security that is often overlooked is that not only do you need to validate the user accessing the API, but also the user’s App itself. API keys are a mechanism to validate the App that is consuming the API. The API key is also used to control the type of access the App has and rate limit the number of calls that could originate from it.  Essentially API keys are tied to Licenses, about which I talk further below.

Message Security: APIs often are used to access valuable and sensitive data. It is essential that this data be secured and protected, both while in flight and at rest. Securing the transport channel with SSL and TLS as well as encrypting the message itself are some of the mechanisms to secure this data.

Threat Protection: The APIs should be protected against both unintentional abuse and intentional attacks. APIs are potentially more vulnerable then web apps as the former increase the surface area of attack, are more flexible and could be used in more ways than a web app. One should protect APIs against DoS, SQL injection, HTTP parameter stuffing, JavaScript and various other attacks. Also, the content itself might be malicious and require protection measures such as scanning for virus and validating message content and JSON/XML data structures. Other protection controls like Licensing and rate limiting are discussed below.

Licensing: Licensing and packaging provides control over the levels of visibility and access of APIs. One can control exactly who can see an API and request access to it, i.e. it controls the granularity of access. Licensing is often linked to API keys and provides API providers both a means of monetizing their APIs as well as controlling access.

Monitoring and Rate Limiting: Often overlooked, monitoring and imposing rate limits on APIs allows API providers to control how often a specific App accesses the API or the amount of data that it can exchange. Rate limiting can be a very powerful countermeasure against threats and security breaches.

API Lifecycle and Governance: Finally, launching a successful API is not only about marketing it right. The entire API Lifecycle needs to be taken into account, and all the stakeholders, including the product manager, developer, API administrator and enterprise architect should effectively collaborate with each other throughout the lifecycle, from inception, to production, and retirement. This is essential to secure your APIs, as it is paramount to take into account of the above-discussed aspects of security and threat protection by all the stake-holders and consistently applied at all the stages of the API Lifecycle.

Incorporating API Security and Governance

Incorporating security and managing it across the lifecycle of API can be a challenging undertaking. API Management platforms, such as the one provided my company, SOA Software, provide enterprises with a solution that addresses both their security and governance needs, across all channels as well as deployment form-factors, i.e. in the cloud or on-premise. Traditional web application firewalls are not designed to protect APIs and definitely do not address the core issue of having the different stakeholders collaborate consistently and effectively across the lifecycle. I look forward to discussing in details about each of the topics mentioned above in my future posts.

 

Share Button

Add a comment