API security is an essential part of protecting your business and your customers. In this blog post, we'll provide a brief introduction to API security and some of the basics you need to know.

What is API security?

API security is the practice of protecting APIs from unauthorized access and use.  It is one of the fastest growing attack surfaces in application security because APIs are the boundary between the microservices that comprise cloud native applications, which are exploding in popularity and adoption.  

Securing APIs is an ever changing, multi faceted problem, but can be simplified into three main aspects - API Discovery, API Security Posture Management, and API Runtime Protection.  Here's a little more detail into what that means:

API Discovery

API discovery is the process of identifying the APIs that are available for use within an organization or ecosystem. This can involve manually searching for and cataloging individual APIs, as well as using tools and technologies to automatically discover and document APIs.

The goal of API discovery is to create a comprehensive inventory of all of the APIs that are available, which can help developers and other stakeholders understand what APIs are available, how they can be used, and what data or functionality they provide access to. This practice is especially valuable in enterprise IT environments where practitioners may be dealing with significant legacy APIs.

API Security Posture Management

API security posture management is the process of ensuring that an organization's APIs are designed and implemented in a secure manner.   API Security Posture Management involves regularly assessing the security of APIs to identify any potential vulnerabilities, and implementing measures to address those vulnerabilities in order to maintain the overall security of the organization's APIs over time.

Thorough API testing is also a key part of API Security Posture Management.

This can involve testing the inputs and outputs of APIs, as well as the underlying implementation, to ensure that they are functioning correctly and providing the intended results.  API testing can be performed manually, or using automated tooling like what we have built at Impart.

The goal of API testing is to identify any bugs, performance issues, or security vulnerabilities that may exist in APIs, and to fix these issues before the APIs are used in production environments. API testing is an important part of the software development process, as it helps to ensure that APIs are reliable, efficient, and secure.

This practice can help organizations to prevent security incidents and protect sensitive data and functionality that is accessed through APIs.

API Runtime Protection

API runtime protection involves implementing a range of security controls and practices in order to protect APIs from attacks and other security threats while they are in operation. This can include implementing authentication and authorization mechanisms to ensure that only authorized users or applications are able to access APIs, using encryption to protect sensitive data that is transmitted via APIs, and implementing intrusion detection and response systems to monitor for and respond to security threats in real-time.

Other common practices for API runtime protection include implementing rate limiting to prevent denial of service attacks, and implementing logging and auditing systems to track API usage and identify potential security incidents. Overall, the goal of API runtime protection is to ensure that APIs remain secure and available at all times, even when they are actively being used.

Why is API security important?

As the use of microservices architectures has increased, so too has the number of APIs that are used to connect these individual services. This growth in the number of APIs can make it more difficult to ensure the security of all of these individual components, as each API must be securely designed and implemented in order to prevent security vulnerabilities.

Additionally, the decentralized nature of microservices can make it more challenging to effectively monitor and manage security across all of the APIs in an organization. This can increase the risk of security incidents, as attackers may be able to exploit vulnerabilities in one or more APIs in order to gain access to sensitive data or disrupt services.

Furthermore, the distributed nature of microservices can make it more difficult to quickly detect and respond to security incidents, as there may be multiple APIs and services involved in a given attack. Overall, the growth of microservices has led to an increase in the number of APIs and the complexity of API security, which can introduce new risks and challenges for organizations.

We talk more about this and other factors for this in our company introduction blog post .

How do you secure an API?

There are a number of steps you can take to secure your API. Some of the most important ones include:

1. Implementing authentication and authorization: This involves requiring users to provide a valid username and password or other form of authentication before they can access the API. This helps to prevent unauthorized access to the API.
2. Using HTTPS: HTTPS is a secure version of the HTTP protocol that encrypts the data that is sent between the server and the client. By using HTTPS, you can prevent attackers from being able to read sensitive information that is sent through the API.
3. Using API keys: API keys are unique identifiers that are used to authenticate requests to the API. By requiring users to provide a valid API key with each request, you can ensure that only authorized users are able to access the API.
4. Implementing rate limiting: Rate limiting involves limiting the number of requests that a user or API key can make in a given period of time. This can help to prevent attackers from overwhelming the API with a large number of requests, and can also make it more difficult for unauthorized users to access the API.
5. Performing regular security testing: It's important to regularly test the security of your API to identify potential vulnerabilities and fix them before they can be exploited by attackers. There are a number of different types of security testing that you can perform, such as penetration testing and vulnerability scanning.

What are some ways to implement API Authorization?

There are a number of different types of API authorization methods that can be used to control access to APIs.

Let's start with a very simple example basic auth, which isn't used much:

In this example below, the securityDefinitions section defines the basic authentication schema, which is given the name basicAuth. This schema is then referenced in the security section of the /users endpoint, which indicates that this endpoint requires basic authentication. When a client makes a request to this endpoint, they must provide a valid username and password in order to access the API.

swagger: "2.0"
info:
 version: 1.0.0
 title: My API
 description: This is the specification for my API
 contact:
   name: John Doe
   email: john.doe@example.com
host: myapi.com
basePath: /v1
schemes:
 - https
securityDefinitions:
 basicAuth:
   type: basic
paths:
 /users:
   get:
     summary: Get all users
     security:
       - basicAuth: []
     responses:
       200:
         description: Success      

A more common example using JWT authorization, taken from Github:

API Name: GitHub API

Base URL: https://api.github.com

Authentication:
 The GitHub API uses JSON web token (JWT) authentication. To obtain a JWT, users must first authenticate with their GitHub credentials by sending a POST request to the /authenticate endpoint, with their username and password as the request body. If the authentication is successful, the API will return a JWT that can be used to authorize access to other API endpoints. The JWT must be included in the Authorization header of all subsequent requests, using the Bearer scheme. For example:
   Authorization: Bearer <jwt>

Endpoints:
 - GET /repositories: Returns a list of repositories for the authenticated user.
 - POST /repositories: Creates a new repository for the authenticated user.
 - GET /repositories/{id}: Returns information about the repository with the specified ID.
 - PUT /repositories/{id}: Updates the repository with the specified ID.
 - DELETE /repositories/{id}: Deletes the repository with the specified ID.

In this example, the API uses JWT-based authentication to ensure that only authorized users are able to access its various endpoints. Users must first authenticate with their GitHub credentials to obtain a JWT, and then include that JWT in the Authorization header of subsequent requests in order to access the API's data and functionality. This approach allows the API to securely control access to its resources and ensure that only authorized users are able to access them.

Other schemas can be used in an API specification.  Some of the most common ones include:

1. Basic authentication (shown above): In basic authentication, the client sends a username and password with each request to the API. The API then verifies the credentials and grants or denies access to the user based on their credentials.  
2. OAuth: OAuth (Open Authorization) is a widely-used standard for authorizing access to APIs. It uses tokens to grant access to users, and allows users to grant limited access to their data to third-party apps without having to share their username and password.
3. JSON Web Tokens (JWTs): JWTs are a type of token-based authentication that is commonly used with APIs. A JWT is a JSON object that contains information about the user, such as their username and role, and is signed by the server. The client sends the JWT with each request to the API, and the API verifies the JWT and grants or denies access to the user based on the information in the JWT.
4. SAML: SAML (Security Assertion Markup Language) is another widely-used standard for authorizing access to APIs. It uses XML-based messages to exchange authentication and authorization data between the API and the client.

What are the most common API security threats?

There are a number of different threats that can compromise the security of your API. Some of the most common ones include:

1. Broken authentication and session management: If the API's authentication and session management mechanisms are not properly implemented, it can allow attackers to gain unauthorized access to the API. This can include weaknesses in the password policy, failure to use HTTPS, and inadequate session timeouts.
2. Insufficient authorization and access control: If the API's authorization and access control mechanisms are not properly implemented, it can allow unauthorized users to access sensitive data or perform actions that they should not be able to. This can include weak or easily-guessable API keys, lack of proper permission checks, and failure to properly enforce least privilege.
3. Broken object level authorization: If the API does not properly enforce object-level authorization, it can allow unauthorized users to access or modify data that they should not have access to. For example, an attacker might be able to access another user's data if the API does not properly check the user's permissions for each object.
4. Injection attacks: Injection attacks involve injecting malicious code into the API, which can allow attackers to access sensitive data or take control of the API. SQL injection attacks, in which malicious SQL code is injected into the API, are a common type of injection attack.
5. Security misconfiguration: Security misconfiguration can occur if the API's security settings are not properly configured. This can include missing security patches, insecure default configurations, and failure to properly set access controls.
6. Insufficient logging and monitoring: If the API does not properly log and monitor access to the API, it can be difficult to detect and respond to security incidents. This can include failure to log key security events, lack of real-time monitoring, and inadequate incident response processes.

Overall, these vulnerabilities and attacks represent some of the most common and serious threats to API security. It's important for businesses and organizations to be aware of these threats and take steps to protect their APIs from them.

We hope you found this blog post helpful!  Feel free to contact us if you'd like to learn more or try our private BETA that can help you protect your APIs automatically.  

‍