You’re a hardworking dev and you build an outstanding application, you spend gazillion hours upon hours designing the structure to make it easy to use by other developers and clients.
Your API successfully interacts between your microservices and then a fear rises and you confront your colleagues and superiors with the dilemma of “At the end I expose my application on the web which means my data will not be safe!”.
In this article we will explain how to secure REST API in order to reduce the attack scenarios.
What’s a REST API?
A REST API is an API that conforms to the architectural style of REST and allows interaction with RESTful web services.
REST stands for REpresentational State Transfer.
APIs (application programming interfaces) provide a way for app developers to “call” information from outside sources into an application they build.
First steps for a secure REST API.
USING THE RIGHT API TOOL FROM THE TOOLBOX
????Always consider a CI/CD solution as your first steps for a more secure REST API, one of the common solutions is BLST Security Cherrybomb
First of all RESTful APIs must be stateless – so request authentication/authorization should not depend on sessions.
Stateless in software means that it does not keep track of configuration settings, transaction information or any other data for the next session.
There are multiple ways to secure a RESTful API e.g. basic auth, OAuth, etc.
Each API request should come with some sort of authentication credentials that must be validated on the server for every request.
There are two types of api, public API and private API two of them do not require the same level of attentiveness.
As the name indicates, public API allows the resources to be public to the internet.
For example /prices or /product are resources available in your website for users without authentication.
Even though the resource is public I strongly recommend using an API key (API Key is a single token string) to limit the chance of abuse.
An internal (or private) API is intended only for use within the company, to connect systems and data within the business. Internal API can provide information about users on the platform and that data has to be accessible only to the owners.
Fundamentals for a secure REST API the AAA:
Authentication is used to know who called the endpoint of the Rest api.
Authentication proves that you are who you say you are.
Authorization occurs after the user authenticates himself, authorization deals with which resources are permitted to be used by the caller.
Since each HTTP call is handled independently, each time your application receives a call, you will need to decide whether or not the caller is allowed to consume that particular resource.
Accountability (also traceability) is about who did what, when and with what resources.
To accurately track what is happening in your system, you need to note each HTTP call the 3 W’s, what, who and when:
- The used resource
- The method used
- The code response
- Who request the endpoint, and what is the permission
- Which app call the api
- When occurs the request
Common ways to robust your REST API security
- The use of tokens, establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
- Least Privilege: An entity should only have the required set of permissions to perform the actions for which they are authorized, and no more.
- Use encryption . Always use HTTPS, encrypt your data using a method like TLS(see above).
- Use a signature. Passwords must always be hashed in order to protect your organization. Using signatures helps to ensure that the right users are decrypting and modifying your data, and no one else.
- Keep it simple. Try to keep your API simple as possible, to avoid miscomprehension and ensure a good implementation of security
- Input Parameter Validation. Put strong validation checks and reject the request immediately if validation fails. Validate request parameters on the very first step, before it reaches application logic. In API response, send relevant error messages and examples of correct input format to improve user experience. Check every parameter request before it reaches the application logic.
- Identify vulnerabilities. Keep up with your operating system, network, drivers, and API components. Know how everything works together and identify weak spots that could be used to break into your APIs.
- Use quotas and rate limiting. Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. It could also be a programming mistake such as calling the API in an endless loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
- Use an API gateway. API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.
- Integrate Dynamic Application Security Testing (DAST), they detect vulnerabilities by performing actual attacks, similar to a real hacker. In a sense, DAST tools perform automated penetration testing of your web applications.
- Use a WAF. Integrate a web application firewall for detecting malicious payload
In conclusion it is important to understand that API is a new battlefield that brings new ways of abuse that are thought about each and every day.
Using the methods listed in this article to secure your REST API will surely give you a layer of protection against a few types of attacks but overall it is recommended a consultation with one of the many API Security companies, some of the methods are more advanced than others for example DAST is far more advanced tgab