September 2, 2015 | Written by: Jyoti Chawla
Share this post:
The IRS was recently in the headlines for the wrong reason: a lawsuit claims more than 330,000 taxpayer accounts were illegally accessed using the “Get Transcript” API. API breaches have for some time now plagued startups, affecting the likes of Facebook, Twitter, Buffer and Snapchat, and it’s clear these breaches are now affecting established enterprises.
While APIs provide easy access to innovation partners, without adequate precautions they can expose their digital enterprise assets to intruders. So, what makes APIs attractive to hackers? APIs provide a full course of services available for a hacker’s appetite that can be used together in interesting and often unintended ways. This has enabled new attack vectors that are exploited by myriad devices ranging from web applications to mobile devices to Internet of Things-enabled devices.
Is it possible to secure access to APIs while retaining their ease of access benefits? There are three basic security strategies that companies should adopt to avoid these incidents. While this is not an exhaustive list of security measures, they provide a proven framework.
A good practice in approaching API security is first and foremost to know your API assets. An API management suite can help identify the API and exact version, whether in development, QA or production, tracked by its internal registry. This is instrumental in controlling API sprawl. And in the event of a breach, knowing the exact variables in play at the time of the breach will help to expedite the solution.
A second detection strategy is knowing your consumers and solidifying their authentication. While most companies may start out exposing their APIs publicly, allowing developers to freely build applications using the APIs, it may help to configure multilayer security elements right down to the API level so that API consumers are easily identifiable. This is also crucial as API providers rely on standards such as OpenID for single sign-on between different applications.
A third detection strategy is to know your access patterns for your APIs. Look into your analytics capabilities to mine typical access patterns, whether its access from specific geographies, changes in access patterns due to seasonality, or even the time of the day for peak usage of your published API.
While APIs may not be as mature as web services in terms of security standards, many of the established good practices for secure web application development and secure web service development still apply. For instance, security vulnerability testing through various stages of API lifecycle can be a key prevention measure.
Of the widely used security frameworks, the use of OAuth 2.0 specification and OpenID top the list for API security. However, many open source OAuth 2.0 libraries exist, and developers sometimes are inclined to select one without full knowledge of the security implications. Hence, it is advisable to choose the OAuth 2.0 implementation that is most appropriate for the architecture and risk profile of the application.
Also, as API developers increasingly adopt OpenID to enable single sign on across multiple applications, it emphasizes the need for strong authentication practices at initial logon.
Once a breach is detected, a company’s risk exposure is limited by how quickly it can identify and shut down the breached API for further analysis.
Chances are if your API management product provides analytics to its consumers, it has a rich set of analytics capabilities for your organization—the API’s producer. Look for ways of extrapolating the analytics data and marrying it with the way you conduct business. For example, if there is an alarming number of requests from certain geography not typical of the API’s user base, it is a likely indication of a breach. In these cases, an API management suite can proactively limit the number of requests based on configurable policies, which is called rate limiting. There are several gateway solutions providing these features, and it would be good to have the flexibility to leverage your existing investments and integrate it into your API management suite.
Finally, it is useful to think about your API security in the context of other types of data that might be available to hackers. Would the combination of this data as input to your API unlock further data that is valuable to your consumers? Without a holistic approach comprising of the network, infrastructure, application and personal security, your API security will be as strong as its weakest link.