Guide to Building and Using Secure APIs

In case you didn't know, APIs are taking over the development world ??Over 90% of developers use APIs: 69% use third-party APIs, and 20% use internal or private APIs. And it's not surprising. Using already-made ones is smarter than building everything from scratch.?

But there's a catch. (Cool rhyme, I know)

Salt Security indicates that over 91% of organizations using APIs had an incident related to API security in 2021. The data is more often stolen from larger companies, but the process is complicated and expensive.?

How the API Security is Breached

API security weaknesses typically exploit authorization, authentication, or business logic issues. API can be assessed by entering a valid API token and then manipulating the data layer. I would say that a common security problem is that organizations underestimate security and assume wrong. No matter whether private or third-party API, it can be under attack if it's online. When developers use APIs, they see them as a tool, not a security pain point.?

Application programming interfaces are often connected to backend databases directly. That's why the data is sensitive, and once you break the "link," which is the API, you can manipulate the database.?

Bigger companies are more at risk as their data hold more value. Also, they usually have more APIs and no direct access to them. Every API is unique, so the approach to security might be different.?

API Keys

The method of accessing API via API keys is quite outdated and risky. The reasons are:

1. The API key allows read/write access, even when the use case only needs read access. The first person that gets access is the developer, but the risk comes when one key gives access to many apps and is stored insecurely.?
2. APIs often support a single key per account. Meaning the developer can reuse the keys, and with one wrong move, the key gets compromised. And then lots of downtime and hassle to handle.

Use OAuth and Tokens Instead

A more secure way is to give access via tokens. How are they different from keys? They are expirable and are assigned to different applications. One application can have a token for read-only access and another one for different access. In terms of security, it's obviously better as hackers have limited time (expirable, remember?) and may only target a part of the application. Moreover, tokens might be revoked in case smth strange is noticed.

Encrypt Sensitive Data

It goes without saying that the data can be stolen even if you take all possible measures. However, if you encrypt it, it will be useless to the attacker. You might use Transport Layer Security (TLS). There are many types of encryption, and you can apply not just one. Make sure though that encryption keys aren't kept on devices or in easy-access places. We wouldn't want mistakes after so much work?

Set up API Gateways?

A gateway is a tool that manages API and has a single point of control and enforcement for policies, logging, and auditing. It can be compared to an API "firewall" that prevents different types of attacks. A getaway allows developers and organizations to authenticate traffic and control how APIs are used.?

Place Limits to Fight DDoS attacks

When the DDoS attack gets to API, little can be done. That's why focus on preventing so that APIs won't get as much affected. Placing rate limits on APIs usage and access helps avoid issues with performance and security. Limiting APIs calls might throttle connections, balancing access with availability.?

Mix Security Methods and Build Threat Model

Last but not least is complex advice on security. If you want to ensure APIs security, always think on the worst side. I don't think the situation with security will get better soon, so brace yourself (and get equipped with patience). The API gateway combined with API Access Management is a nice way to protect most APIs. Encryption of data and limits on usage is the second layer of protection.?

Believe me when I say it's a must to have a threat model. It is a preventative measure that might predict future attacks and security vulnerabilities. Make sure the APIs are adequately maintained and check for issues sometimes.?

Sum Up

Take security seriously when working with a development team or setting up APIs on your own. Aside from choosing between private and third-party APIs, check for access management. Do they work with keys or tokens? Do they have getaways? What is the worst-case scenario if it fails? I think the saying "Better safe than sorry" fits here nicely.?

Most security issues come from assuming you won't be a target. So better assume you already are.?