It’s no exaggeration to say that APIs are the backbone of the modern digital economy. API usage has seen staggering exponential growth over the last two decades with sources like Postman's 2022 State of the API Report illustrating just how embedded APIs are into our modern world. In 2022, the Postman API platform saw 20 million users and over 1 billion API requests created. This single snapshot highlights that APIs are a core driver of performance for many organizations, and as a consequence this means that API security is integral to practicing modern cybersecurity. In this post, will discuss key aspects of API security and provide actionable steps for organizations to harden their APIs.
What is API security?
API security refers to the measures, practices, and policies implemented to protect APIs from unauthorized access, misuse, or malicious attacks. Ensuring robust API security helps protect sensitive data, maintains the trust of users and customers, and ensures the availability and reliability of APIs. APIs by definition are meant to transmit data, but the potential for misuse by unauthorized individuals can expose sensitive data, cause reputational damage, monetary losses, or result in critical systems being accessed.
Because of the ubiquity and versatility of APIs, API security touches on a wide range of security areas like encryption, cyber hygiene, application security, zero trust access, and more. There is no single universally accepted approach to API security, however sources like The OWASP Foundation (Open Worldwide Application Security Project), have provided a detailed outline of what API security should encompass.
What is the OWASP API Security top 10?
To help organizations protect their APIs from common threats, OWASP released the API Security Top 10, a list of the most critical API security issues. Released in 2019, this list was based on a comprehensive data analysis of over 4000 API security incidents from various sources. It discusses the following security issues:
- APIs may expose endpoints that handle object identifiers, allowing attackers to access or modify unauthorized resources.
- APIs may implement authentication mechanisms incorrectly, allowing attackers to compromise or spoof user identities.
- APIs may expose more data than necessary, relying on clients to filter it before displaying it to users. This can lead to data leakage or privacy violations.
- APIs may not impose any restrictions on the size or number of resources that can be requested by clients. This can lead to performance issues, denial-of-service attacks, or brute-force attacks.
- APIs may have authorization flaws that allow attackers to access or perform functions they are not supposed to.
- APIs may bind client-provided data to data models without proper filtering based on an allowlist. This can allow attackers to modify object properties they are not supposed to.
- APIs may have insecure configurations that expose sensitive information or functionality. This can include verbose error messages, misconfigured HTTP headers, unnecessary HTTP methods, or improper CORS settings.
- APIs may be vulnerable to injection attacks, where malicious input is sent to an interpreter as part of a command or query. This can result in data loss, corruption, or disclosure.
- APIs may have outdated or unused components that are not properly documented or secured. This can lead to unauthorized access, data exposure, or malicious code execution.
- APIs may not have adequate logging and monitoring mechanisms to detect and respond to attacks. This can delay incident response, increase the impact of breaches, or prevent accountability.
API security best practices
The OWASP API Security top 10 provides a good overview of the steps you should take to secure API, these include:
- Developing an inventory of your active APIs
- Ensuring authentication and encryption
- Implementing rate limiting
- Validating API requests
- Logging and reviewing API activities
- Conducting penetration testing
Some other considerations that are equally important, but outside the scope of the OWASP top 10 include addressing OAuth token and API key abuse. We go over all of these below.
1. Create an Inventory of active APIs
To effectively secure your APIs, start by creating an inventory of your active APIs and determine if they're internet-facing and whether that's appropriate. This means ensuring that your APIs are not unnecessarily exposed to the public internet and that only authorized users and systems can access them. Organizations should also assess the potential risks of exposing APIs and ensure that the necessary security measures are in place to mitigate those risks.Doing this is a prerequisite for identifying potential vulnerabilities and applying specific security configurations to each API. OWASP has a page here, providing examples of tools that can be used to find and inventory exposed APIs.
2. Enforce authentication and encryption for all running APIs
APIs should require authentication to ensure that only authorized users can access sensitive data or functions. Authentication can be achieved through various methods, such as tokens, API keys, or OAuth. In addition, APIs should use encryption to protect data in transit and at rest. Transport Layer Security (TLS) or Secure Sockets Layer (SSL) can be used to encrypt data in transit, while data at rest can be encrypted using techniques such as disk encryption or database encryption.
3. Implement rate limiting to prevent abuse of APIs
APIs should be protected against DoS attacks by implementing rate limiting. This involves limiting the number of requests that can be made in a certain period to prevent overwhelming the API. This can be done by setting limits on the number of requests per user or per IP address, or by implementing dynamic rate limiting that adapts to changes in traffic patterns.
4. Validate incoming API Requests
APIs should validate all inputs to ensure that they are within expected ranges and do not contain malicious code. Input validation should be done at every layer of the application stack, from the user interface to the API backend. This can be achieved through techniques such as input validation libraries, parameterized queries, and data type validation.
5. Log and review all API requests
All API requests should be logged and reviewed to ensure non-anomalous behaviors and abuse. Organizations should monitor their API traffic to identify patterns of abuse or malicious behavior, such as excessive requests or attempts to access sensitive data. This can be achieved through techniques such as log analysis and intrusion detection systems. Keep a record of API activities to monitor for breaches and respond quickly to potential threats.
6. Conduct regular pen testing
Penetration testing is a critical component of API security, as it helps identify vulnerabilities or other attack vectors that expose APIs. Pen testing involves simulating attacks on APIs to identify weaknesses and potential exploits. This can be done internally or through third-party security providers.
7. Prevent sharing, exposure, and abuse of API keys or secrets
One commonly overlooked area of risk is the exposure of API keys and authentication tokens, which can be shared by programmers in collaborative SaaS applications like Slack and Jira or accidentally embedded in code, which is bad practice. Our research found that on average a company with 100 employees will have 5+ active production API keys stored in their cloud apps which speaks to the risk that exposed secrets can pose. Leaking secrets and credentials effectively bypass any hardening of your APIs that you’ve implemented because OAuth tokens and API keys can be abused in privilege escalation attacks.
Cybercriminals often use tools to scan public repositories for secrets and credentials in code, or within environments they’ve already infiltrated. Both tactics were pivotal for both the 2016 Uber breach as well as the 2022 Uber breach. To learn more about mitigating this risk, read our secrets scanning tutorial.
As APIs continue to drive the digital economy and enable seamless data exchange between applications, API security has become a vital aspect of modern cybersecurity that requires careful attention and planning. By following best practices and implementing appropriate measures, organizations can ensure that their APIs are secure and reliable, and that they can leverage the benefits of APIs without compromising their data or systems.