Modern digital transformation is built on APIs, driving a new operating model that provides direct access to business logic, applications and institutional data. This access is invaluable for partners and customers. It also makes APIs attractive targets for hackers and cybercriminals. Therefore, it is crucial to focus on API security.
In this article, you will learn why it is essential to protect your API, some API security methodologies and best practices, and the role APIs play in the DevSecOps paradigm.
The rising importance of API security
Organisations use APIs to communicate with other systems and transfer data. A poorly developed API can expose sensitive personal data and there have been several cases in which companies have been hacked because of an open and insecure API exposing user data.
Venmo, a peer-to-peer mobile payment service, was hacked by a computer science student who accessed information on seven million Venmo transactions, including the full names of people sending money through the platform. This happened, at least in part, because Venmo didn’t appropriately handle the challenges when making data accessible through a public API.
French cryptocurrency hardware wallet company Ledger also experienced a data breach due to an insecure API. While wallets and cryptocurrencies were well protected, a third-party API misconfiguration ended up leaking customers’ personal data. The breach resulted in over 270,000 phone numbers and addresses being leaked and the exposure of more than a million customer email addresses. Clearly, ensuring that your API is well developed and properly protected is hugely important.
The current state of API security methodologies
There are several techniques you can implement to increase your API’s security, each with a unique set of benefits. There are two aspects of API security – authentication, which tells an application who you are, and authorisation, which tells the application what you have permission to do.
The evolution of API security
As the use of APIs has exploded, so has the field of API security. Cybercriminals have been increasingly targeting APIs and exploiting vulnerabilities in recent years, resulting in OWASP publishing its first API security top ten list at the end of 2019.
Thankfully, API management platforms are responding to the evolving threats to API security in force. From authentication and authorisation and managing access control to governing microservices and encrypting data at rest and in transit, a reliable modern API management system can ensure that it is easy to adhere to best practices for API security excellence.
Common API security threats
APIs are vulnerable to a range of factors, leading OWASP to keep tabs on the evolution of the top ten API security threats. These include broken object level authorisation, broken function level authorisation and broken user authentication, which is why it’s essential to use the right security components (more on that below).
Other common API security threats that API management companies are supporting their clients to overcome include excessive data exposure, lack of resources and rate limiting, mass assignment, injection, improper assets management and insufficient logging and monitoring. An API gateway is a key tool in helping to address these threats. API gateway solutions that offer a clear and intuitive user experience can also help to avoid another API security threat: security misconfiguration.
Essential API security components
Modern API management services deliver a range of security components that mean API gateway tools are ideally placed for delivering robust, reliable security. These include API keys, basic authentication and JSON Web Tokens.
API keys
These allow users to access resources by providing the API key. Essentially, an API key is an encrypted string that identifies an application without paying attention to the user. API keys provide application authorisation and identification. The calling application needs to add the key to each API request. The API uses the key to identify the application and authorise the request. You can use API keys to block anonymous traffic, control and limit the number of calls made to your API, filter application logs and identify usage patterns.
Note: API keys are not totally secure as they are usually accessible to the client. This may make it easy for a hacker to steal the key. Without an expiration time, a stolen key can be used indefinitely (unless the owner revokes or generates a new key).
Basic authentication
This is a simple method of authenticating API requests. It uses a header called “Authorization”, with a base64 encoded representation of the username and password of the user. For example, a request using basic authentication for the user “tomiwa” and password “123456” looks like this:
Basic auth is easy to implement and suitable for server-to-server communication. However, using it for client-server communication can pose several threats. Sending user credentials for every request is bad practice and the only way to revoke access is to change the password. Also, passwords are usually long-lived, so an attacker with a password and username can cause significant damage.
Basic authentication can be used for simple authentication and security. It’s ideal for getting up and running quickly without thinking about roles, permissions scopes and so on.
JSON Web Tokens (JWT)
JSON Web Tokens is a standard for safely exchanging claims (assertions about a certain object to ensure its validity) between two parties, with various types of signatures and encryption. The signatures are used for validation to guard against data tampering, while the encryption is useful for protecting data from being accessed by third parties.
The process starts by sending a username and password to the server and then validating the information sent. Once validated, the server generates a token, which is usually made up of a header, payload and signature separated by dots based on a secret key that only the server knows. The client can then include this token in the headers of subsequent requests, and the server will validate it using the secret key. The generated token is usually valid for a set period of time, after which the client can use a refresh token to request a new one. This allows the server to block access to clients, if required.
There are several benefits of using JWTs, including the enhanced security provided by a public/private key pair in the form of a X.509 certificate for signing. They can also be used in federated identities. For example, the ID Token returned when a user logs in successfully with their credential in the OpenID Connect’s spec is a JSON Web Token. JSON Web Tokens are very common and are used at internet scale. They can also be used on multiple platforms, especially mobile.
Modern authorisation methods to secure your APIs
While Authentication checks if a user exists on a platform, authorisation focuses more on verifying if a user or entity has the right to perform certain operations, such as whether a user can view the photos of other users in a photo-sharing application. There are several methods to be aware of, some of which include the following:
Role-Based Access Control (RBAC)
Role-Based Access Control is a security paradigm that allows users to have restricted access to resources based on their roles. RBAC allows you to assign roles to users; each role grants access to one or more sets of rights, which determines the kind of operations that user can perform.
Role assignment happens behind the scenes, giving each user access only to the applications and data they need. When you have a structured workgroup and want to be able to define the rights to a system by specific roles, RBAC is a great option.
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) is an authorisation model that evaluates the characteristics or attributes of an entity to determine access. An example is only permitting employees in the HR department to access the HR/payroll system, only during business hours and within the same time zone as the company.
ABAC enables flexible and fine-grained access control that allows for more input variables into an access control decision. Any available attribute in the directory can be used by itself or in combination with another to define the right filter for controlling access to a resource.
Because you can define access by employee type, location and business hours, ABAC is ideal for geographically dispersed workgroups and fine-grained access control policies.
OAuth2.0 and OpenID Connect
OAuth 2.0 is a standard that allows a website or application to access resources hosted by other web apps on behalf of a user. It’s a way of securely saying that it’s okay for a platform to use one of your trusted authentications to allow access to platform resources. For example, you might use it to tell GitHub that it’s okay for Linkedin to use your GitHub profile.
OAuth is mainly used for authorisation. It uses tokens to prove an identity between consumers and service providers. It also provides consented access and restricts actions that the client app can perform on resources on behalf of the user, without ever sharing the user’s credentials.
It is important to note that OAuth 2.0 is an authorisation protocol and NOT an authentication protocol. It is primarily a means of granting access to a set of resources available on another system, such as remote APIs, a third-party API or user data. It is therefore frequently paired with OpenID Connect (OIDC) to add authentication to the security workflow.
Open Policy Agent (OPA)
Open Policy Agent (OPA) is a domain agnostic, general-purpose policy engine that enables you to decouple policy and decision-making of a dedicated system. It automates and unifies policy enforcement and implementation across a wide range of technologies and across several IT environments, especially in cloud-native applications. OPA was originally created by Styra and has since been accepted by the Cloud Native Computing Foundation. It is offered for use under an open-source licence.
Organisations use OPA to automatically enforce, monitor and remediate policies across all relevant components. You can use OPA to centralise security, compliance and operational functions across Kubernetes, API gateways, continuous integration/continuous delivery (CI/CD) pipelines, data protection and more.
Best practices for ensuring API security
There are a few other best practices in modern API security that an API management solution can support and that are important to mention:
Adopting DevSecOps to shift left on API security
Traditional security teams rely on testing software at the end of the build process. This often causes inefficiencies and delays, as developers must spend time implementing security fixes to new versions before releasing features to the end customer.
With DevSecOps—a philosophy that involves integrating security best practices during the development and operations processes—performing security tests is no longer done at the end of the build pipeline. Instead, it has shifted left to become an integral part of the development process, enabling the early discover and fixing of issues such as vulnerable or outdated libraries, wrong API configurations or possible sensitive data leakages.
Ownership and accountability for API security
With the introduction of the DevSecOps paradigm, security becomes the responsibility of everyone on the team—from the developers to the QA and DevOps engineers. That means not only the security team is responsible for ensuring the software’s security, but all stakeholders must take a vested interest in the API’s security.
The benefits of ensuring that all stakeholders accept responsibility for security are enormous. It reduces the time it takes to identify issues and bottlenecks in software and to resolve them. It also speeds up the time it takes to deliver value to end customers. Plus, it encourages accountability at each stage of the development, as each stakeholder must put their best foot forward toward the achievement of the team goal.
Robust audit logging
An audit log records events as they happen. A system of log-keeping and records becomes an audit trail where anyone investigating actions within a system can trace the actions of users, access to given files, or other activities, such as the execution of files under root or administrator permissions, or changes to OS-wide security and access settings. API gateway software provides a range of logging opportunities.
Audit logs are very useful when there is a need to identify or track the cause of an issue or event. For example, they can be used to track how data went missing on a platform. They can also support informed decision-making, as data logged in real time can serve as feedback on how to improve the system going forward.
Identity providers (IdPs) for enhanced authentication
An identity provider (IdP or IDP) stores and manages users’ digital identities. It’s like a guest list but for digital and cloud-hosted applications instead of an event. An IdP may check user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.
IdPs are not limited to verifying human users. Technically, an IdP can authenticate any entity connected to a network or a system, including computers and other devices. Any entity stored by an IdP is known as a “principal” (instead of a “user”). However, IdPs are most often used in cloud computing to manage user identities.
IdPs can be used when organisations need to delegate or outsource the managing and controlling of employee information from a central source without having to build a custom solution to do so. This can save time as well as provide a platform to manage all employee data in the long run, while ensuring that the security of user information remains tight.
Utilizing Tyk’s API management platform for stronger API security
Tyk is a cloud-native API management platform for modern software. We enable users to use REST, GraphQL, gRPC and even SOAP-based APIs to connect to one another through our open source API gateway. We also provide an intuitively designed interface for monitoring and controlling APIs efficiently and securely.
Being one of the leaders in full lifecycle API management, API security is top of our priority list. Tyk’s open source API management platform enables organisations to secure their APIs in multiple ways.
Separation of concerns for increased security
Tyk’s API gateway enables developers to abstract their security layer from the backend. This way the microservices can focus on the business logic of the application, while the API gateway can tackle the administrative aspects of the architecture.
Tyk provides the flexibility of using Tyk’s out of the box authentication and authorisation capabilities or delegating your security needs to external systems such as IdPs for Single Sign-On or Dynamic Client Registration. The consistent security policies provided at the level of the API gateway service ensure that all underlying microservices follow the same security standards across the application, thereby laying the foundation for scaling securely.
Comprehensive authentication and authorisation controls
Tyk’s API gateway platform provides out of the box support for a variety of authentication and authorisation methodologies including those mentioned in this article previously. From Authentication (bearer) Tokens to OAuth2.0, from JSON Web Tokens (JWTs) to Role-based Access Control (RBAC), Tyk’s got your application covered. What’s even better is that if you wanted to combine or chain together multiple security methodologies, you could easily do that too!
Dynamic Client Registration (DCR) for simplified management
Dynamic Client Registration (DCR) enables the dynamic registration of clients with your organisation’s existing authorisation server. Whether your organisation is using Keycloak, Gluu or Okta as your external IdP, our DCR capability integrates with the Tyk Developer Portal without the need to overhaul the underlying authorisation mechanism. This easy API third party integration means you can enjoy simplified management of API security as standard.
Open Policy Agent (OPA) for enhanced authorisation
API governance is an integral part of the modern enterprise full lifecycle API management stack. A key aspect of this is fine-grained access control. To enable this, Tyk has baked the OPA rule engine right into its API gateway service, making it possible to create custom permissions securely and effectively. The OPA rule engine sits in front of the Tyk Dashboard, providing a high-level declarative language (Rego) that lets you specify policy as code and simple APIs, to offload policy decision-making from your software.
Real-time API monitoring and audit logging for proactive security measures
Tyk provides the ability to monitor all API traffic in and out of the API gateway platform. You can access and store detailed logs and audit trails of your entire API portfolio within the Tyk Dashboard. If you want to use an external monitoring system together with alerts such as Logstash or DataDog, you can easily do so by connecting to the Tyk Pump, which is responsible for the observability of your APIs.
The future of API security management
API security will remain a crucial concern for businesses over the coming years. SoftwareAG reports that API security is a slight challenge for 44% of organisations and a significant challenge for 36%. This means that API management platforms will continue to play an essential role in the future of API security, supporting the increasing prioritisation of baked in security as part of the growing DevSecOps culture.
By using tools like Tyk’s API management platform, you can ensure security across your entire application in a powerful, flexible and efficient way. For more thoughts on API security, why not check out our article on how to expose your API securely?