API Security

Gui Alvarenga - July 17, 2023

What is API security?

Many organizations allow customers to access their data through an application programming interface (API) so they can build customized solutions on top of it. But this access comes with risks, making API security a crucial element of a business’s success.

API security involves implementing measures to safeguard data confidentiality, integrity, and availability. These measures include setting up authentication and authorization mechanisms that permit only authorized users and applications to access the API, and implementing encryption and other security protocols to protect data in transit and at rest.

Additionally, API security encompasses monitoring and logging to detect and respond to security incidents, and conducting regular testing and vulnerability assessments to identify and address potential security weaknesses.

These security measures mitigate serious risks, as API breaches can have severe consequences for individuals and organizations alike. Attackers can exploit vulnerabilities in APIs to access sensitive data, such as personal information, financial details, and login credentials — potentially resulting in identity theft, fraud, and other cybercrimes. Attackers can also carry out denial-of-service attacks, which prevent the use of the hacked API. 

For companies that rely on APIs to connect with third-party services, a violation can lead to reputational damage, financial losses, legal action, fines, and regulatory sanctions. That’s why prioritizing API protection and regularly monitoring for potential violations protects both an organization and its users. 

2023 Cloud Risk Report

Download this new report to learn about the most prevalent cloud security threats from 2023 to better protect from them in 2024.

Download Now

API security vs. application security

The terms API security and application security are often confused, but they are two different concepts. APIs have a bigger attack surface than web applications because APIs are designed to accommodate a wide range of clients. At the same time, wide-ranging accessibility makes APIs more vulnerable to security threats. The authentication schemes APIs use also differ from those used by web applications. For example, APIs use token-based authentication, whereas applications commonly use two-factor schemes that send users a code on their smartphone that they manually enter into the application alongside their password.

If we look at the OWASP top 10 security risks for APIs, we also see they differ from that of web applications. The list of the top 10 security risks for web applications includes things like UI design flaws and using vulnerable UI components, while the list of API risks centers on authorization issues on the system’s object or function level.

Essential API security standards

There is a range of standards to consider when building an API that can keep it secure. These standards are mostly related to encryption, authentication, and authorization. Some of them, like Transport Layer Security (TLS), are so tightly integrated into basic internet protocols that you’re using them right now while reading this article.

Let’s check out the five most important standards.

1. TLS encryption

TLS encryption is a protocol that secures client and server connections over the internet. It encrypts data in flight to prevent intermediaries from reading the transferred data. This encryption technology is widely used in e-commerce, online banking, and other web-based applications to protect sensitive information.

2. OAuth

A popular authorization protocol, OAuth (open authorization) allows an organization to grant third-party applications access to its APIs on a website without sharing its credentials. Instead of giving the application a password, OAuth generates a token that authorizes access to an account for a specific time period.

3. SAML

Security Assertion Markup Language (SAML) is an XML-based standard for authentication and authorization data exchanges. Commonly used in internal or business-to-business applications, SAML helps build single sign-on (SSO) solutions that eliminate the need for a user to remember multiple login credentials.

4. JWT

JSON Web Token (JWT) is a token format that is optimized to be represented in URLs, transferred via HTTP, and read with JavaScript inside a browser. The tokens represent access claims for services and are used for authentication and authorization. They contain detailed information such as user ID and expiration time, and standards like OAuth use tokens in the JWT format as their access tokens.

5. The OWASP REST Security Cheat Sheet

Representational state transfer (REST) is one of the most common architectural styles on the internet. The OWASP REST Security Cheat Sheet provides guidelines for securing REST APIs against common threats, such as injection attacks, broken authentication, and sensitive data exposure. One recommended approach is to use JWT, a secure and streamlined method for transmitting data and managing user authentication.

Learn More

Learn the top 12 cloud security risks, threats, and challenges you should keep an eye on to keep your cloud computing environment safe. Cloud Security Issues

10 API security issues

The most common security risks for APIs relate to authorization issues, but other factors can also present pressing security concerns. Let’s look at 10 of the most prevalent API security issues (according to OWASP) and explore how to prevent them.

1. Broken object-level authorization

This risk occurs when an API does not correctly enforce object-level authorization, allowing attackers to access or modify data they should not have access to. To prevent this issue, use a centralized access control mechanism to manage object-level authorization. This mechanism should be able to enforce access control policies at the object level and handle complex relationships between objects.

2. Broken user authentication

This risk occurs when an API does not properly authenticate users, allowing attackers to impersonate legitimate users and access sensitive data. To mitigate the risks that broken user authentication presents, implement multi-factor authentication and use secure password storage mechanisms. Multi-factor authentication adds an extra layer of security by requiring the possession of multiple devices to log in. Secure password storage mechanisms, such as hashing and salting, make it more difficult for attackers to crack passwords.

3. Broken object property-level authorization

In systems that use large objects, a typical risk is that one object exposes more data than necessary. Even when the system uses object-level authorization, an object may still have properties that include sensitive data. The solution is to use encryption to protect sensitive data and limit the amount of data exposed. Encryption can help protect data in transit and at rest. Filtering object properties before sending them to a client can help reduce the impact of a data breach.

4. Lack of resources and rate limiting

When an API does not properly allocate resources or enforce rate limits, attackers can launch denial-of-service attacks. To prevent these attacks, implement rate limiting and resource allocation mechanisms. Rate limiting can keep attackers from overwhelming the API with requests, and resource allocation mechanisms help ensure that resources are allocated fairly and efficiently.

5. Broken function-level authorization

This risk occurs when an API doesn’t require authorization for each of its endpoints. This can allow attackers to call endpoints that should only be used by an administrator. Using a centralized access control mechanism to manage function-level authorization can help mitigate this risk. The access control mechanism should be able to enforce access control policies at the function level and should be capable of handling complex relationships between functions.

6. Server-side request forgery

When an API accepts a URL from a client to fetch data from a third-party service and doesn’t validate the URL, it allows an attacker to submit malicious URLs that can expose internal services or scan the API for open ports. Employing URL allowlists or filtering internal hostnames and IPs can help prevent this problem.

7. Security misconfiguration

Following safe coding practices and regularly updating software and security configurations are key steps to configuring APIs securely so attackers can’t exploit vulnerabilities. Using secure defaults, disabling unnecessary features, and regularly updating software and security configurations are just a few best practices for hardened security configuration.

8. Lack of protection from automated threats

Automation can allow attackers to exploit regular business flows for financial gain by referring bots to a paid referral program or buying a limited product excessively to resell it later. Though some of these activities may not be illegal, they can still lead to reputation loss or financial losses for the organization. To keep this risk at bay, ensure that purchasing flows include reasonable limitations per person and referral programs are paid out only when a proof of personhood has been supplied. Device fingerprinting and blocking of suspicious IPs like Tor exit nodes are also recommended measures.

9. Improper asset management

When an API does not properly manage assets such as keys and certificates, unauthorized users can gain access to sensitive information. This is another reason it’s critical to employ secure coding practices and regularly update software and security configurations. Asset management can also include using secure defaults and disabling unnecessary features.

10. Unsafe consumption of third-party APIs

APIs often use APIs from third parties to get their work done. In many cases, these third-party APIs are treated as inherently secure. But these APIs can still become an attack vector into a system, allowing malicious users to indirectly send problematic inputs, such as SQL injections or forged URLs. Sanitizing inputs is vital — not just inputs from clients but from all systems that can enter data into your API. Employing allowlists for hostnames and restricting redirects can help ensure the safety of third-party APIs.

Case Study: Berkshire Bank

As Berkshire Bank grows and focuses on digital transformation, the main cyber challenges it faces are API security, rising zero-day vulnerabilities, third-party risk management as banking systems and services are moved to the cloud, and the increasing sophistication and frequency of cyberattacks.

Learn why Berkshire Bank is “very happy” with the CrowdStrike Falcon® platform.

Download Now

Keep your APIs secure

Managing API security can seem complex, but it doesn’t have to be. The CrowdStrike Falcon® platform assesses your API security posture across multiple hosts, keeping an eye on your service configurations and helping to test for potential threats. With CrowdStrike Threat Graph®, cloud-scale AI analyzes API events in real time.

Try the Falcon platform today to enrich your endpoint and workload telemetry with actionable security insights. Start your free trial of the Falcon platform now.

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.