What are API Security best practices?
API security breach can be scary.
We remember, not long ago, Facebook’s breach. In September 2018, hackers used a vulnerability in Facebook’s Developer API to expose millions of users. They obtained profile information such as name, gender and hometowns… They exploited the feature “View As” that lets people see what their own profile looks like to another Facebook user. They managed to be granted access tokens to steal users’ information…
More recently, Doctolib was victim of a data theft. Hackers gained access to confidential info: telephone number, e-mail address, name and specialty of the healthcare professionals…
Even a few days ago, the same appeared to be true for Clubhouse, which saw information from about 1.3 million user profiles get posted on a cybercrime forum. The poster said that the data had been scraped from Clubhouse using one of its APIs.
Well, APIs are the doors to meaningful data to companies’ ecosystems. To prevent hackers from gaining access to the data - or even worse - to the company’s infrastructure, one needs to implement a strong API security.
First, what is API Security?
By API Security, we mean the protection of APIs integrity, both by those you own and those you use. We mean ensuring practices that prevent misuse or malicious attacks.
Why is API Security that important?
Gartner estimates that "by 2022, API abuses will move from infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications". This means API Security will be the topmost cause of concern for enterprises working with web applications. By deduction, best practices should quickly be enforced to prevent hackers from jeopardising APIs within a company.
What are then the best practices to prevent from an API breach?
To dig into the best practices, that's best to split them into three different categories: Prevent, Measure, and Take action.
Basic security measures enforcement, known to be helpful in case of a hacking.
- Don’t build your own system
Don’t try to reinvent the wheel. It’s very likely the system you want to put in place already exists somewhere else, with proven security.
- Use HTTPS systems (TLS)
With HTTP or any other unsecured protocol, passwords, private keys, and other credit card information are at risk and can easily be stolen because hackers can read them in plain text. Always encrypt data before transmission and at rest. Encryption makes it harder for hackers to compromise data.
- Check the infrastructure robustness
Rely on safe and up-to-date infrastructure and software. Spend time and allocate resources to investigate the topic.
- Ensure Authorization
Ensure your users are who they actually say they are. Authentication is how you allow or prevent access to the API. Three common methods to do so:
- Basic Authentication: username/password sent alongside every API call.
- API Key: unique key linked to an account and it is passed alongside every request.
- Oauth: A user clicks on a sign-in button, grants permission, and your app can authenticate each request with an access_token.
- Verify Authentication
Once you are sure your users are who they say they are, make sure they are granted access to the content they are allowed to.
Process to become aware about the current situation and what is happening. You only improve what you can measure.
- Track and document all your exposed APIs
Many different organizations running APIs have no API security strategy at all… You must first be aware of all created APIs in order to secure and manage them properly. Also, you need to establish who is the owner of the API topic.
- Validate inputs
Input data should never be passed from the APIs to the endpoints without prior validation.
- Share as little as possible
Display as little info as possible in your API responses. APIs are primarily intended for developers. That is why very often, they contain keys, passwords and other information that should be removed before being widely shared.
Rules application to counter a situation which is not at the advantage of the company
- Configure error messages
Ensure developers get error messages and provide them with enough information to help them debug but not enough to expose information about internal data and/ or infrastructure.
- Dedicate specific resources
Ensure you have some profiles responsible for the topic, ready to take action in case of a major event. In case of a hack, those should inspect thoroughly, report what has been hacked in details, notify the ones that have been endangered by the hack and take the most appropriate actions to prevent the latter from happening again.
Understood. Now, what?
Security is a serious topic and an important part of any API… Since more and more APIs are being exposed online, companies are potentially even more at risk if no extra care is put on security... At Blobr, we think one of the biggest issues with API security right now is that the topic is often viewed as an afterthought. Yet, since APIs are the direct link to organizations' data, the subject should be of high priority right away.
Indeed, no counter measure can easily be put in place once a hack has been uncovered. Quite often, when misuse is uncovered, the mere solution is cutting access to all API users. It is not the best for business continuity as it would break all customer business downstream.
This is exactly what happened with the Facebook breach in 2018. The company had to cancel access to the API and asked developers to move to another API. It is fine when you are Facebook and have such a market monopoly. Yet, for any other company, cutting access to an existing API like this would be disastrous.
At Blobr, we believe there is a better way to address the situation. Thanks to our interface, you have a better control over API endpoints. Contextually, you also have a better control on data exposed, and in a granular way. Therefore, in case of misuse of an API implemented, you can dynamically modify the data output misused without putting your whole business at risk. Also, thanks to the platform, you get logs about API calls that are being made by your end-customers. You can then reconcile information with expected calls linked to plans granted to your customers. In case of anormal calls, investigation is instantly made.
Discover how the magic of our no-code API tool - Blobr - could be applied to your business by talking to our experts.