5 best practices for API security

Application Programming Interfaces (APIs) are critical drivers of how value gets exchanged in digital economies. They have become essential strategic business assets that companies and organisations, whether scale-up or enterprise, need to manage to unlock value.

The explosion of API usage has led to a corresponding huge jump in API vulnerability and actual attacks.

The first step towards achieving adequate API security is understanding how common API exploits are. The following five tips will help provide you with API protection, whether you already have secure APIs or need to know how to implement them.

1. Monitor your APIs

Continually monitoring your API activity in real-time is essential for ensuring their security. You must be able to log this information, so you can audit and troubleshoot errors when needed. You should generally retain these logs for as long as reasonable, given the capacity of your servers.

Use your logs to identify and investigate suspicious events involving your APIs. In particular, a dashboard is a highly valuable tool for tracking API usage. It’s also important to document the version of each API, typically in the path. This practice allows your organisation to offer multiple working versions of an API simultaneously, making it easier to deprecate an older version at the appropriate time.

For example, Tyk’s Open Policy Agent allows administrators to use a system’s gateway as a policy enforcement point. It provides them with the fine-grained control they need, with security operations based on Single Sign-On (SSO) and Role-Based Access Control (RBAC).

Tyk also offers a range of other analytics, logs and tools like web application firewalls to fulfil an organisation’s auditing and governance requirements, regardless of infrastructure complexity. In addition, Tyk Cloud enables the sharing of data in accordance with local regulations required by the General Data Protection Regulation (GDPR), Information Commissioner’s Office (ICO) or the Clarifying Lawful Overseas Use of Data (CLOUD) Act.

2. Delegate the responsibility of APIs to third parties

Secure APIs delegate responsibility for authorisation and authentication to third-party Identity Providers (IdPs). This practice involves using OAuth 2, a commonly used open standard for access delegation that eliminates the need for users to remember multiple passwords. Instead, users can connect to a website with credentials from another provider like Facebook or Google.

OAuth 2 works similarly with APIs since the API provider manages authorisations through third-party servers. The user authenticates their identity to the system with a token from a third-party server rather than their credentials. This mechanism protects users because they don’t disclose their credentials and eliminates the need for the API provider to protect those credentials.

You can further reduce the security risk to your APIs by adding an identity layer on top of OAuth 2. The OpenId Connect standard is a common solution for this requirement that extends OAuth 2.0 with ID tokens, and the user must then provide such a token to access the API. In addition, antivirus applications or Internet Content Adaptation Protocol (ICAP) servers can help scan API payloads to prevent attackers from introducing malicious code into your systems.

Tyk has  API security solutions for access control baked in, allowing you to manage tokens more efficiently. The solutions are vendor-agnostic, so you don’t need to change your existing technology stack.

Features include the following:

  • OAuth 2.0
  • OpenID Connect
  • Bearer tokens
  • Hash-based message authentication code (HMAC)
  • JSON Web Tokens (JWT)
  • Multi-chained authentication

3. Implement throttling

Throttling is the practice of limiting the number of messages that a system generates within a given period. Proper throttling restricts system access by attackers without impacting the ability of authorised users to do their jobs, in addition to ensuring traffic doesn’t exceed the bandwidth capacity of your backend system. You should also restrict system access by API and user or application to prevent attackers from abusing a restful API.

Throttling is particularly effective in thwarting Distributed Denial of Service (DDOS) attacks, which involves using multiple sources to flood the targeted system with multiple requests, generally to prevent legitimate users from using that system’s network resources.

For example, Tyk’s open-source solutions allow you to shape your traffic flow when and how you want, including API rate limits, access control quotas and policies. These capabilities let you implement your organisation’s digital transformation by converting your API traffic to and from GraphQL, REST, SOAP and XML.

4. Authenticate users

Authentication is the process of verifying a user’s identity before allowing them to access your system. In the case of APIs, it ensures that only authorised users can call an API.

Several methods exist for authenticating API users. These include basic HTTP authentication, in which users provide a user ID and password to web applications. They may also be required to provide an API key; a unique asymmetric identifier configured for each API known to the API gateway. An IdP server can also generate a token for the user, typically through OAuth 2.

Basic HTTP authentication or an API key is the minimal level of authentication that any organisation should use to protect its systems from attacks against a traditional web application. However, organisations with sensitive information should use OAuth 2 as their preferred API security protocol.

5. Update your infrastructure

Strong API security needs a solid infrastructure, including a secure network and software with all available patches. Servers used as load balancers must have the latest security updates. Tyk offers solutions built from the ground up to support a microservices architecture, with features including circuit breakers, enforced timeouts, load balancing and service discovery.

Solutions for API security should also be highly flexible and scalable to accommodate today’s dynamic business environment. Tyk’s solutions let you scale your operations up and down as much as you need without a huge investment in training. Furthermore, you don’t need to implement API security in a particular way; instead, you can integrate these solutions naturally into your existing operations. 

The ability to obtain native support for load balancing an API out of the box means you can start protecting your APIs right away. Specific features of Tyk’s load balancing solutions include weighting your requests and balancing the traffic of Google Remote Procedure Calls (gRPC).

Enhance your API security with Tyk

Threats from remote users continue to increase as internet connectivity becomes an operational requirement for more networks. Hackers tend to be relentless in their attacks, especially when they target a particular system. Implementing a comprehensive API security plan is thus crucial for protecting your organisation’s information, but it requires security to be part of its culture and the development process for APIs. Combining the right technologies and processes ensures security is built into your infrastructure from the start, allowing you to identify and address attacks before they succeed.

Tyk’s full API lifecycle management protects your APIs while providing a positive user experience. All information is accessible to users, allowing them to focus on their jobs.