With Digital Transformation, APIs (Application Programming Interfaces) have become a strategic necessity for businesses. But the dramatic increase in the number of APIs being used has also fuelled an increase in API security threats. In July 2021, Gartner predicted that by 2022, API attacks would be the most frequent attack vector. We are not even halfway through 2022 and API attacks are already on the rise, confirming Gartner’s prediction to a large extent.
According to a report from Salt Security, API attack traffic has shown a 681% increase in the past year. As if to corroborate this alarming data, 95% of the companies surveyed reported an API security incident in the past 1 year.
But believe it or not, in the same survey, 34% of the companies were found to have no proper API security strategy. This calls for more awareness and some concrete measures toward safeguarding APIs.
Why is it important to safeguard APIs?
It is said that if Data is the new oil, then APIs are the pipelines, and API backend is the refinery. And you know what can happen when the API is not secure – data breaches. A hacked API endpoint can give open access to sensitive data making APIs especially vulnerable.
The data breach can be harmful to the brand reputation and can also lead to significant financial losses. An insecure API also causes legal and compliance issues resulting in high penalties for breaching regulatory guidelines like GDPR.
Top Ways to Safeguard APIs
API attacks have breached security at several businesses including Facebook, Twitter, and LinkedIn, clearly emphasizing the need for a better security strategy.
Below are the top ways to make your APIs more secure and prevent attacks.
Good coding, testing, and review standards
Several APIs suffer from basic bugs, business logic flaws, and poor design. Bad code and basic software bugs can expose your APIs to multiple threats. An example of bad code in the API was the 2018 blunder when Google+ compromised sensitive private data of millions of users.
Standard guidelines for coding, code reviews, and testing are absolutely necessary. Create threat scenarios in test environment to identify bugs. If possible, also go for third-party penetration tests to see if the API security can withstand attacks.
Security review needs to be a continuous activity since many vulnerabilities become apparent only during runtime. These vulnerabilities then quickly need to be fixed before they can cause severe damage.
Threats such as SQL injection, remote code executor, cross-site scripting, etc. can all be avoided with strong input validation. Since hacking attempts can also be made from authenticated sources, input validation is necessary to determine whether the API request is harmful or not.
An API request should be allowed through to the endpoint only once it is successfully validated. The validation includes verifying the format of the input data and stripping parts of the input that may be malicious. The OWASP Injection Prevention Cheat Sheet is a good resource for preventing injection attacks.
Rate-Limiting or Throttling API Requests
Bad actors can attempt brute-force attacks or can flood your network with requests to launch denial-of-service attacks. These threats can be prevented with rate-limiting and by establishing quotas for requests. Rate limiting or throttling slows down the frequency of API requests.
Thresholds can be defined for the volume and frequency of requests to prevent DoS attacks. Limiting requests from each user to a reasonable number can prevent brute-force attacks. Also, setting hourly or daily limits is a good idea. Doing this also prevents excess traffic from hampering the availability of the API at any given time.
Strong Authentication and Authorization
Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) vulnerabilities are exploited by bad actors to attack APIs. The identity of the user or program that sends a request to the API must be authenticated using an authentication protocol. A strong Authentication protocol can also help prevent Bot attacks on APIs.
After the authentication, a strong authorization solution needs to be in place to grant access only following the approved access levels. For example, after user authentication, if the user is authorized only for data access, a request to add information must be rejected.
Using API gateways that allow for integration of OAuth, signatures, API keys, etc. is a good way to prevent user identity threats.
Centralized change management process
Several API attacks are an inside job. APIs are accessible to many people from employees to users to developers making them quite vulnerable to insider threats. To tackle this, have a standard change management process and centralize it. This will give a real-time view of who is making changes and for what reason. Also, logging all API activity is necessary.
This can prevent threats to some extent. It can also help in tracing the source of a breach in case of an attack making it possible to take corrective measures quickly. And of course, it is a good way to prevent future similar incidents.
API traffic filtering
Spam and abuse are threats that can sometimes be prevented by simply filtering out malicious traffic. One way to do this is to filter IP addresses if you have a limited user base. Each time a new user is onboarded, the IP address can be verified.
The other way is to apply geo filters. If your business is limited to certain geographies, filtering out other regions can prevent attacks. If you find a bad actor request from a certain region that you don’t do business with, blocking that region can stop an attack right in its track and prevent future attempts from the same region.
Encrypting requests and responses
Encrypting data being transferred between the user and the API server and back can help prevent man-in-the-middle attacks. For REST APIs, using SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol can ensure encryption.
However, do note that SSL/TLS will only encrypt data in transit. Hence, you will also need to encrypt any sensitive data in the database for complete security. Information such as passwords, for instance, should never be stored in clear text – they should always be encrypted.
One-way password hashing is a technique that does not use the same encryption code for both locking and unlocking data. This is a more secure option to prevent sophisticated attacks.