Gunnar Assmy - Fotolia
APIs have been a feature of software development since the arrival of structured programming in the 1960. An API is a set of functions or routines that accomplish specific tasks or provide a simplified method of interacting with a software component, often allowing the automation of common processes that interact with services running on other machines.
Securing APIs is increasingly crucial. Though in use for decades, the arrival of Web 2.0 and cloud computing has seen a huge increase in their number and usage—there are now more than 14,000 public APIs. The APIs that Facebook, Google, Twitter, eBay and Amazon provide are probably the most best known, but many other businesses also offer access to their internal data by providing a set of APIs. Clients of Salesforce, for example, can use its APIs to integrate Salesforce services into their systems, much the same as the Facebook Platform APIs that have enabled developers to create thousands of applications and services that access Facebook data.
The business opportunities APIs present can appear irresistible, but both API providers and API consumers need to ensure secure API implementation so hackers can't use them to attack an enterprise or its users. Insecure APIs are one of the top threats to cloud computing according to the Cloud Security Alliance.
Nature of the API security risk
APIs provide access to an application’s functions, so they increase its attack surface, and hackers will endeavor to abuse or find flaws in popular API code as they can be used to attack a large number of applications and users. To illustrate, imagine that a fictitious company—let's call it MashOurDataInc—provides APIs that allow developers to pull information from its data center. A hacker has managed to inject a malicious script into the main database. If MashOurDataInc's API code doesn’t cleanse data before sending it in response to an API request, then the hacker’s malicious script could be sent to any apps that use MashOurDataInc's APIs. Potentially, thousands of users would be compromised.
Securing APIs to cut the risk
Developers building an application or service that consumes third-party data via APIs must fully understand how they work and how they should be called before using them in their code so as not to create a latent vulnerability. This means reading all the relevant API documentation, which should cover aspects of securing an API function or routine such as how to call it, what authentication is required, what data will be returned and in what format, and what error messages can be expected.
Building a threat model of any APIs being used will help in understanding the attack surface and identifying potential security issues so appropriate security mitigations can be built in from the beginning. Debug tools such as Firebug and Chrome Developer Tools can help ascertain and examine data flows an API generates, and highlight how to secure the API.
An application receiving data passed by a third-party API should never assume it has been cleansed or correctly validated. Developers have to build in data cleaning and validation routines to prevent standard injection flaws and cross-site request forgery attacks, particularly for APIs that pass JSON and XML messages or content generated by users, as all this data is coming from an untrusted source. Also, before an API is called it's important to verify that the user or device has the correct permissions to view, edit or delete the requested data; many developers fail to include secondary access-control checks once a user has been authenticated.
Enterprises developing APIs to allow others to access their internal data systems should focus on building and testing controls to manage access to the APIs. These controls should establish what others can and cannot do with the different classifications of data accessed or generated. Again, secondary access-control checks have to be made before data can be viewed, edited or deleted.
Documenting the requirements for securing APIs will make it easier to ensure subsequent code changes still meet data-handling policy requirements for personal or sensitive information. Also document what information should be logged to capture who, what and when APIs are accessed for audit purposes. These logs need to be analyzed, preferably by a security information and event management tool, so any abnormal behaviors, such as brute-force attacks, can be detected and blocked.
APIs can create countless opportunities to improve customer services and interactions, and deliver increased productivity and profits; they're even becoming the product or service some companies are founded on. However, due to the potential risks they introduce risk mitigation has to be at the heart of any API integration strategy.
What’s all this about the 'API economy'?
Learn more ways to secure APIs
Watch this video about making API testing easier
Is Amazon's API secure?