Billions of users around the world appreciate instant, feature-rich services that are available online. In many cases, those services are powered by the functionality of web APIs that allow using information from other sources. For example, when booking airline tickets on a website or in a mobile application, a user can instantly see a schedule of flights, choose and reserve a seat, decide on the luggage options, maybe even rent a car and book a hotel room in a destination place. All that is available thanks to many APIs that interact with each other.

On the other side, there are API providers who design these interfaces to achieve their business goals. Both end-users and API providers face some security risks. When there is a connection between internal data sources like databases with the systems of third parties, and when a user shares their personal data which then goes through several third parties, this situation creates some inherent vulnerabilities. Data breaches and associated malicious activities are a huge concern of API usage today. Let’s review the best cybersecurity practices for securing API connections as well as clients and endpoints.

Cyber Threat Visibility

When API is public, anyone can make a request to an API endpoint, which is typically a server and its supporting databases. Eventually, this endpoint becomes similar to a web server because anyone can call for the information that is stored on it. Adversaries may try to perform cross-site scripting or SQL injections, exfiltrate data, and hijack or spoof credentials. 

First things first, to detect any malicious activities, you need to log the events that are occurring in your network. To do this, you might use solutions like SIEM or SOAR. To detect possible attacks and threats, you can write detection rules yourself or use ready-made ones from solutions like SOC Prime’s Detection as Code platform. Their detections are mapped to the MITRE ATT&CK framework. This allows executing a more complex behavioral threat detection. Instant translations to vendor-specific formats are available at Uncoder.IO, free Sigma-based translation endive for search queries, API requests, and more.

Authorization and Authentication

While logs and security alerts give you a decent level of cybersecurity visibility over the enterprise’s networks, systems, and endpoints, it’s also necessary to take some preventive actions for securing your APIs.

Common authentication methods for RESTful APIs include:

• HTTP Basic Authentication – encode credentials in Base64 format. Attention: with this method, you send data in HTTP headers, which aren’t encrypted. Use it along with an HTTPS connection to increase security.
• OAuth 2.0 or OpenID Connect – you can use them both for authentication and authorization. Implement Single Sign-On (SSO), coming with 2-factor authentication to reduce friction on the user’s side and avoid possible credential theft. Mind that some platforms like GitHub don’t accept OpenID Connect. In this case, you’ll have to use the OAuth library to program desirable outcomes yourself.
• JSON Web Tokens (JWT) – provides access control and credentials encryption. Access tokens are signed cryptographically. 
• Request-level authorization – decide whether the access should be granted or denied based on each specific request. This can be managed with request middleware.
• Input validation. All the input data that comes through API should be validated before coming to an endpoint.

Remember that RESTful Web services operate in a stateless mode, in other words, they don’t conduct sessions. If your server operates in a stateful mode, you’ll need to have another one to manage the communication with your APIs.

Traffic Encryption

Security engineers often insist that every web API should be encrypted with Transport Layer Security (TLS). When you use it, the incoming and outgoing traffic is encrypted while being transferred. TLS is especially needed because of the fact that authentication measures won’t help if the attackers intercept your traffic and read everything that’s being sent or received.

To make itself work, TLS requires a certificate, signed by an authority. Cloud providers and hosting services can take care of obtaining and managing these certificates. They can provide these services with the necessary automation, which means a lot for modern network architecture where some businesses use 2000 APIs and more simultaneously.

For those who use their own web servers and prefer not to trust their certificates to third parties, there are services like Let’s Encrypt. They are an automated certificate authority that is quite easy and straightforward to use.

Data and Request Restrictions

Make sure that you also set up restrictions on the amount of sent and received data. This way you can avoid possible malicious injections as well as accidentally returning too much data as a result of a malicious request. Another concern is not to reveal too much information about the endpoint that comes along with the data that’s being returned. The principle of least privilege states that the user gets only as much access as it’s needed to fulfill a function. The same can be true for data thresholds. Leave the task of filtering data not to the user’s side but to the API endpoint’s side.

Finally, make sure that APIs don’t contain any passwords, keys, and other information when it’s no longer needed. Information like this should be removed to avoid the possibility of exposure. Some API keys might even come in URL during communication, so try to ascertain that it’s not the case with your APIs. Use scanning tools in DevSecOps to monitor data and mitigate any probability of exposure and leaking. Additionally, rate limits can be set up to avoid DDoS attacks. Any number of requests above the desired threshold will be rejected. 

Conclusion

Modern development practices become better and faster with the use of API while end-users enjoy smoothly running and highly functional web services. At the same time, APIs have lots of inherent vulnerabilities because they provide connections that could be abused. It is advised to take care of security measures starting from the earliest stages of API development and then continuously maintain them. Regular API inventory and perimeter scans help to stay in the know about what’s happening. Management and security policies should also be in place to mitigate possible cyber-attacks.