by Waldemar Rosenfeld, Product Manager, APIIDA AG
Co-author: Olga Irmen, pixelideen UG
At the beginning of the year it happened again: The press reported that data had been stolen from politicians and celebrities. The attacker was neither an IT professional nor a well-organized gang of criminals. The perpetrator was a student from Hessen.
Hackers specifically look for security vulnerabilities and, if there are any, they find them. Since APIs act as links between different systems, they enable people and programs to access sensitive data – and are therefore particularly worth protecting. In our last article on this topic, we explained which sources of danger lurk when using APIs. In this blog post, we look at how you can successfully protect your APIs.
For protection to succeed, organizations must take precautions:
Documenting access routes to data, both internally and externally, is an important first step. In addition, your own resources must be categorized according to their relevance in order to correctly assess potential dangers. In doing so, additional attention must be paid to industry-specific regulations.
It is also important that employees are continuously trained by the IT security officer or the CISO so that everyone in the company internalizes the issue of security and reports any security gaps.
Reporting should be as simple as possible for the employees, ideally with the help of a so-called bug bounty program. Here the reporting of discovered security gaps is rewarded with financial rewards (instead of penal threats). This attracts so-called white hat hackers, who may then support your own employees in the future.
Prioritization: Which APIs are particularly worth protecting?
There are often countless APIs in companies – some of which give people and programs access to highly sensitive data and some do not. Of course, high security requirements apply to the former. But the first thing to do is to identify them! Also, APIs that companies make available to their customers must always deliver data reliably, as well as securely.
In order to increase the overall security, it is advisable to set up guidelines, how to secure all APIs in the company:
• No data transmission without transport encryption via TLS (min. TLS 1.2).
• Anonymous access only for general APIs that do not require special protection.
• Data economy: No data is transferred that does not need to be transferred. Customer data should not be filtered using the web application, but already the backend. If your backend doesn’t support this, various API Management solutions can help you.
• Use of established API management products and their functionalities to protect against standard attack paths such as SQL injection. Furthermore, risk-based metrics such as location or time can be included.
• Clear code guidelines and applied test structures before APIs are published.
In summary, this can be said: APIs that are particularly worth protecting are those that allow access to sensitive data of your company organization (customer data, credit data, …) as well as those that you make available to your customers!
Once the most important APIs have been identified in the company, external access must be restricted. The following steps will help here:
1. Identification: Who wants to access the API?
2. Authentication: Can the claimed identity of the person accessing the API be proven?
3. Authorization: Is this identity allowed to perform this access at all?
Proven measures – What you can do:
1. Use API keys for identification. API keys are long, alphanumeric strings that can uniquely identify a service or a user. Access rights can be easily granted or revoked using API keys. They are easy to manage and an excellent way to determine identities.
2. Basic Authentication is a simple way and often used variant for authentication. For this, a username and password will be used. From a security perspective, however, this is not the best method. If stronger protection measures are needed, federation protocols are recommended. The best known are SAML 2.0 and OAuth2 in conjunction with Open ID Connect. The latter combination is particularly suitable for new developments.
3. Ensure that your WLAN and telecommunication network is securely encrypted. You can guarantee this with TLS and certificates for all connections.
4. The use of quotas is also important. They can be defined based on the API Keys in order to defend from attacks or to prevent faulty applications from gaining access at an early stage.
The use of API management solutions such as our APIIDA API Gateway Manager in combination with Broadcom API Gateway will also help you to ensure the security of your APIs. Such solutions support you by almost automatic security measures and offer you assistance in creating APIs – already by the large existing know-how of the manufacturers, which flows into the solutions. In our next article we will deal with this topic in more detail.
Do you have questions about API or API security? Call us or write us a message! We look forward to hearing from you!