Thank you for Subscribing to CIO Applications Weekly Brief
API Security: Six Best Practices to Follow
Companies have immediately opened their data to their ecosystem through SOAP or REST APIs in response to the growing demand for data-centric projects.
Fremont, CA: Companies have immediately opened their data to their ecosystem through SOAP or REST APIs in response to the growing demand for data-centric projects. APIs are the gateways to a company's tightly guarded records, posing the following challenge.
Given are simple practices you can adopt to alleviate security threats and keep APIs secure.
Be cryptic. For internal or external correspondence, nothing has to be in the open.
TLS (the successor to SSL) can be helpful to encrypt all communications between the user and their partners, whether it's one-way encryption (standard one-way TLS) or, even better, shared encryption (two-way TLS). To prevent the use of the weakest cypher suites, use the most recent TLS models.
- OAuth & OpenID Connect
To handle authorizations, the API provider uses a third-party server. Instead of providing their credentials, the customer provides a token issued mainly by a third-party server. It protects the customer because they don't have to reveal their credentials, and the API provider doesn't have to worry about authorization data because it only receives tokens.
OAuth is a well-known delegation protocol for transferring authorizations. Users can add an identity layer on top of their APIs to protect them even further and add authentication: this is the Open Id Connect standard, which extends OAuth 2.0 with ID tokens.
- Monitoring: Audit, Log, and Version
Get a stalker out of yourself. In the event of a mistake, users must be prepared to troubleshoot: inspect and record relevant information on the server – and keep the history for as long as their production servers' capability allows. In the event of an incident, users can convert their logs into tools for debugging. Monitoring dashboards are also highly recommended tools for keeping track of the API use.
- Data Validation
Be picky about what users accept as a gift, mainly if it's a large one. Anything the server receives needs to be double-checked. Always review the information that customers give users and reject any additional content or data that is too big. To avoid SQL injection or an XML bomb, use JSON or XML schema validation and double-check that the parameters should be (string, integer...).
- API Firewalling
Construct a barrier. Some believe that erecting a wall would fix all of the country's immigration issues. That's the case, at least for APIs! The protection of the API is divided into two layers:
The first level is in the DMZ, with an API firewall enforcing simple protection protocols such as message size checks, SQL injections, and any security dependent on the HTTP layer, preventing intruders from gaining access.Forwarding the message should be the second layer.
The second layer is a local area network (LAN) with specialized data protection mechanisms.
- API Gateway (API Management)
Many of the processes mentioned above take a long time to establish and maintain. Rather than reinventing the wheel, users can invest in a successful and scalable API Management solution that includes all of these features to save money, time, and resources while also accelerating time to market. Users can use an API Gateway to protect, manage, and track their traffic.