Three API security essentials for enterprises

With enterprises heavily depending on APIs for growth, API security has emerged as a business-critical component today. Tips to employ an effective API security framework.

Abhinav Asthana Jan 12th 2018 A-A+

An interface developed to provide access to an application’s resources to people within and outside an enterprise, application programming interface (API) technology has grown significantly during the past decade-and-a-half. According to a forecast by Persistence Market Research, the worldwide cloud API market will touch US$ 1.7739 billion by 2026, demonstating 19.6 percent growth between 2016 and 2026.

The high importance of APIs, wherein millions of applications request for each other’s resources daily, has turned API security as the critical business component of API development. In a survey carried out by Akana amongst 1,200 organisations, nearly 75% respondents mentioned that API security was a CIO-level concern. The specific API security concerns mentioned included XML bomb, JSON Schema, DDoS, SQL Injection (53.25%), XML firewall, message-level security, encryption (42.86%), cross-site scripting (37.66%), and XML attacks (36.36%), among others.

With rising cyber threats perception in today’s internet-driven world, a carefully thought-out API security strategy is a must for every organisation. Broadly, there are three essential methods employed today to ensure API security: Basic authentication or identification, advanced authorisation with OAuth 2.0, and JSON Web Tokens along with encryption. A combination of these can help protect API resources in an organisation from unwanted entities—humans or otherwise. Let’s explore each method briefly.

1) Basic authentication: Working as the foundational defence measure, this exercise is typically carried out through API keys. Given as a randomized, unique key to developers, API key provides or refuses access to API resources. It can switch off access to APIs when a violation of terms of use is detected. For example, in spam filters, an API key blocks access when it detects the blog’s feedback-feature is misused by spammers. As an added advantage, an API key can also help monitor requests and provide analytics.

2) Advanced authorisation with OAuth 2.0:  While API keys can limit access only to entities with the key, this method cannot determine exactly who that entity is. That purpose is served by an open standard for authentication, Open Authorisation (OAuth 2.0). Commonly used to secure application resources, OAuth 2.0 provides a temporary, token-based authentication to grant access to API services in a secure fashion.

An API key cannot be stored in an unprotected environment. However, since OAuth 2.0 token is only valid temporarily, it can be stored in a less secure environment such as a mobile phone. Even if a hacker gains access to the token, his chances of exploiting it are slim since it expires quickly. A common application of OAuth 2.0 is websites (or apps) granting access to API resources via third party services such as Google, Yahoo, and Facebook.

3) JSON Web Tokens (JWT) along with encryption: This is a JSON based open standard to generate access tokens that validate and approve a specific number of claims. A JSON Web Token (JWT) is a URL-safe method used primarily during browser-based single sign-on (SSO) sessions. It helps establish a secure flow of API services between a pre-identified and authorised clients and server. It delivers enhanced API security when used along with encryption. The legitimacy of a token can be established only when an authorised client uses the decryption key.  A token with authentication information and predefined expiry time, JWT holds digitally signed user-defined claims. Being portable, it can be used to provide access to multiple backend resources. As JWT does not require cookies, it is deemed ideal for mobile environments.

Importance of a policy framework
Even as the methods mentioned above can largely address API security requirements, it may not be advisable to employ them in isolation. For instance, SSL (or TLS) have become a basic hygiene technology to have for any authentication method to deliver good results.

Approach to security must be holistic with an organisation-wide policy framework in place. Starting from infrastructure security—such as, servers running on stable, regularly patched OS versions, carefully-configured security groups, VPC isolation across environments, and role-based access control—your policy framework must incorporate rules for rugged account security, software security, employee access, and data security. Having measures in place for attack prevention, mitigation, your response policy for security incidents must be pre-documented to ensure a secure development environment is maintained at all times. Lastly, API security audits and testing should be incorporated as ongoing exercises to improve API development from quality and efficiency perspective, continuously.

The author, Abhinav Asthana, is CEO & Co-founder, Postman.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).