As the age of digital transformation and the Internet of Things hurtles closer to maturity, APIs have become critical to business strategy. Through APIs, businesses expose their data and digital services to a complex interconnected ecosystem of partners, vendors, customers, IoT devices, and other apps. That exposure brings benefits, but it also carries risks.
APIs need to be treated with the same cautions that are applied to human users. Each must have an identity, and that identity must be protected against attacks that exploit vulnerabilities in authentication, authorization, and session management.
APIs Are Strategy, Not Software
APIs are now part of every enterprise’s strategy. They are critical to business success, and they need to be developed through a business lens as much as a technical lens. Yet the way an API handles authorization is usually left in the hands of its developers.
Developers usually come from a web design background. But web design and API design require very different approaches, and developers often lack an understanding of threat profiles. They are not experts in authorization, and deadline pressures leave them with little time to become fluent in API security practices. As a result, the APIs that connect businesses to their ecosystems are often vulnerable to attacks.
Developers are also not business specialists. They may not know which roles to authorize or which privileges to grant to those roles. Instead, business owners should be responsible for decisions like that, and they should have the ability to change authorization and access as the business model evolves. However, since authorization and access are typically hard-coded into an API, changes have to be fed into the software development lifecycle where they wait to be prioritized and executed. That reduces a business’s agility and creates additional work for dev teams.
Hard-coded authorization rules also raise compliance issues. An auditor would have to read and understand code in order to evaluate compliance for each individual API. This is impracticable because the average enterprise has hundreds, if not thousands, of APIs. Along the same lines, governance becomes impossible with so many APIs handling authorization independently. A global approach to API security should be the standard, but that is far from the reality.
How APIs Introduce Risk
APIs identify themselves with API keys, unique strings of characters that identify the application making a request. These keys are often accepted as authoritative credentials, but they are not. They can be found in the API’s code and exploited by malicious actors.
APIs can be used to launch authentication service attacks through automated credential guessing, replay attacks, or stolen identifiers. Credential guessing leads to automated credential stuffing, which consumes resources and compromises accounts. Replay attacks intercept and use legitimate data to avoid a network’s security protocols. Stolen identifiers, such as cookies and tokens, enable a malicious actor to impersonate an authorized user to execute an attack that is difficult to detect in real-time.
Distributed Denial-of-Service (DDOS) attacks against the application layer are of particular concern. In an application DDOS attack, attackers weaponize the interconnected nature of APIs by first performing reconnaissance to learn which API makes the most calls within an application and then targeting that particular API with a massive volume of requests. The API will call for middle-tier and backend services as it attempts to respond to the malicious requests. In turn, those services will be overwhelmed. The impact spreads throughout the entire API ecosystem until an overall service outage occurs.
Application DDOS attacks are on the rise because they are less costly to carry out than DDOS attacks against other network layers and harder for security solutions to detect because they look like legitimate user requests.
Best Practices for API Enablement
The first best practice may seem obvious, but it has to be stated: recognize the risks inherent in the use of APIs. Their behaviors must be considered in the broader context of identity as a whole, including device identification, access times, geolocation, etc.
Developers should be trained on use cases from accepted protocols such as OAuth and Open ID Connect, and they should use existing libraries whenever possible rather than writing new code.
Subject APIs to proper security testing using automated security tools. Prior to login, test for user behavior and client validation. Before and after login, test for vulnerability protection, attack signatures, and traffic behavior. After login, test for application behavior.
Take authorization off the shoulders of the development teams and put it into the hands of the business owners, who are better equipped to define authorization rules that effectively support business rules. Business owners should be able to change these as needed in order to stay on top of changes to business strategies and models.
Be discreet. Prevent app servers from sending error messages with system traces and don’t register internal API names in public DNS databases.
Last but definitely not least, enable deep reporting and formalize “continuous security” practices. That includes hunting for anomalies by periodically reviewing all API access.
Optimal IdM Cloud APIs Do The Heavy Lifting
Optimal IdM supports API enablement by providing REST services for:
- authenticating user credentials
- validating OAuth2\OpenID Connect Tokens
- authorization of APIs calls using explicit business rules
- protocol translation of tokens (translating between SAML 2.0 assertions and OAuth2\OpenID Connect Tokens)
- throttling of API calls
- auditing of API calls
Optimal IdM API enablement features ensure that all API calls are throttled to mitigate DDOS attacks. All API calls are audited. The API audit record can be viewed in the Optimal IdM audit reports combined with the Identity Management and Federation audit records to provide a holistic view of the applications.
APIs are the cornerstone for business today. Optimal IdM can help you ensure that your connections to your trading partners and their technology runs safely, smoothly, and easily.
Learn more about API enablement by e-mailing info@optimalidm.com.