We are living in the API economy. Today, application programming interfaces are no longer a mere technical tool for software integration; they have become a global use mechanism to simplify the connection among systems, applications, data, and build new digital products and services. A few figures: in June 2019, ProgrammableWeb announced that its directory has hit more than 22 thousand APIs.
By simplifying the interaction with third parties, APIs facilitate the creation of new business models, allow to create excellent 'user experiences', and expand commercial channels and company turnover. For example, by taking advantage of the API model, a company like Uber has rapidly grown, and in 2019 its value was estimated between 80 and 90 billion dollars.
Since APIs manage a growing business and corporate information and user data pass through them, safety issues have become important. Not adopting an API Security strategy means risking strategic or sensitive data breaches and losses.
API Security, what it is and how to approach it
API Security refers to the set of methods, products, protection technologies that help defend APIs from violation attempts or prevent access to information, in case of attacks on the system.
Beyond the methodologies, defense and protection tools that will be used, it is essential to understand that API security is not an aspect that can be dealt with at a later time: it must be addressed immediately, from the beginning of the project development, and must be an essential and priority part of it.
For example, a good starting point for building an API Security strategy can be a design based on guidelines such as the Top 10 Open Web Application Security Project (OWASP) document or performing a security test. OWASP is a non-profit project that collects guidelines, tools, and methodologies that help to understand at what level of protection the organization's IT infrastructure is located, how to improve security, and how to avoid the most critical security risks during the development of software and web applications.
Good practices, tools, and technologies for API security
In the software design phase, the policies applicable to strengthen the API Security may concern system infrastructures or affect the design of components and their relationships - that’s to say architectural strategies.
Infrastructures strategies include:
- Connection encryption. A key point is to protect the API security by implementing the HTTPS protocol (Hypertext Transfer Protocol Secure), which encrypts the communication channel during data transmission, using a cryptographic protocol such as TLS (Transport Layer Security). Furthermore, when implementing an HTTPS protocol for a website, the level of security is guaranteed by a digital certificate, issued by an authority capable of proving the authenticity of the site itself. To further increase the level of security in B2B contexts, it is possible to use the Mutual TLS (mTLS) approach, which can also securely identify the client who has connected to the server.
- Constant monitoring of APIs. Identifying any vulnerabilities in APIs is another good practice, feasible for example through penetration testing techniques. In this way it is possible, for example, to identify any API not protected by ACL and provide to protect them.
- Management and limitation of API requests (API throttling). Setting limits and quotas for the total number of API requests receivable in a unit of time helps protect systems from the risk of having to administer more requests than those actually manageable, also sheltering them from DoS (Denial of Service) or DDoS (distributed DoS) attacks.
- Security checks. Preventive security measures, such as geo-IP filtering techniques that can block web traffic depending on the country of origin, or blocking techniques for calls by anonymous proxies can help reduce threats and risks for API Security.
- Use of VPN networks. Virtual Private Network (VPN) solutions allow you to establish secure connections between local networks and client devices, protecting the passage of information from the risk of man-in-the-middle attacks.
Architectural methodologies include:
- Using an API Gateway to centralize access control. Especially when the microservices developed using many different APIs, a Gateway allows you to create a single access point to the system, from which you can manage all API calls and requests. By using an API Gateway you can strengthen the API Security, by performing access control for each API and configuring authentication rules, data requests management, quotas, and limits for API calls.
- Selection of 'token-based' authorization methods. Among these, we can mention the use of API keys, immutable strings that guarantee access to the API, and the OAuth2 authorization protocol. Using the latter protocol, third-party applications can be released from the authentication and user profile management, using an external provider to issue a token that uniquely identifies the user. The advantage can also be found by the user, who will be able to access an API without having to provide username and password, thus protecting their login credentials.
- Use of an access control list (ACL). The user or the application should be on the list with a specific role and authorization level in order to access specific APIs data/services.
- Hiding information in URLs. It is important to ensure that no API credentials (username, password, session token, API keys) can remain visible in the web address of the access site.
Considering the key principle that API security must be addressed from the beginning of the project, the illustrated best practices are the most common to strengthen your own API Security strategy. Since you need to choose a starting point, the first step is probably to begin separating the commercial interaction channels from the core systems, which need to be protected by an API management solution capable of providing a solid, light, and reliable API Gateway.