Gartner predicts that by 2022, API abuses will be the most frequent attack vector for breaching enterprise web applications. Methods of attack include injection attacks, authentication hacking, data exposure, parameter tampering, application abuse and more.
By following API security best practices, however — think encryption and signatures, tokens, quotas and throttling — API security can be strengthened.
We spoke with two Colorado engineers who shared their own best practices for preparing and protecting their APIs from different attacks. Their recommendations? Tried-and-true frameworks and keeping security at the forefront of every process.
Keeping security top of mind also requires staying ahead of cybersecurity trends, they said. Engineering managers should encourage their teams to subscribe to newsletters like Hacker News, follow security and consulting firms on social media, and attend conferences to help them stay ahead of potential threats.
Webb sticks to a “keep it simple” mantra when it comes to API security by hiring developers at Pie Insurance who advocate for security first, and know how to implement widely adopted patterns that make it easy for them to interact with APIs in a secure way.
When building a new API, what best practices do you follow to ensure it's developed with security top of mind?
I advocate for security to be considered first, and as a separate layer from the business use cases of an API. This helps ensure the API is built on a solid foundation instead of adding security to an existing API as an afterthought. Authentication, authorization, auditing, logging, monitoring and data protection are some of the most important aspects of API security that must be addressed.
However, security is kind of funny because it can easily become inversely related to usability. To address that problem, I look for widely adopted patterns that make it easy for developers to interact with APIs in a secure way. This is the “keep it simple” principle which many people find counterintuitive when it comes to security. As an example, most people know that the “s” in HTTPS means “secure.” Those people don’t need to understand transport layer security, digital signatures or web of trust to feel confident with the security of HTTPS.
HTTPS is a widely adopted pattern that has good support in browsers and libraries, making it easy to utilize as a data protection mechanism without being forced to understand how it works completely.
Finally, it’s important to have developers on your team who will diligently keep security in mind and also strive for simplicity.
What tools does your team use to monitor and manage your APIs?
We use a combination of Amazon Web Services, other service providers and homegrown tools for monitoring and management. Our authentication model is built on OpenID Connect, and we utilize AWS Cognito for the implementation. Cognito was chosen because it’s a cost-effective, best-of-breed customer identity and access management tool as well as a general purpose identity provider.
Cognito integrates nicely with other AWS services for authentication, authorization, logging and monitoring. Our API gateways are used as a security layer to allow us the flexibility of enforcing security policy across APIs. We have been using nginx as an API gateway for simplicity, but we are moving toward utilizing AWS API Gateway. We publish API documentation in the OpenAPI format and also use OpenAPI in development as a discussion tool. While there are tools on the market that promise to manage all of the API lifecycle, we’ve found it best to pick the right tool for the job at each phase of development.
It’s important to have developers who will diligently keep security in mind and also strive for simplicity.”
How do you stay up to date with evolving cyber threats, security best practices and government regulations around data privacy and security?
I’ll restate here that it’s important to have developers on your team who will diligently keep security in mind. There are many big security and consulting firms that publish advisories that are a good source of information on evolving threats and best practices. Subscribing to known security researchers’ content is another great way to keep abreast of trends and best practices. The EU General Date Protection Regulation is one of the most comprehensive resources, and the U.S. approach to data privacy is slowly evolving. Keeping an eye on government agencies like the National Telecommunications and Information Administration is the best way to keep up with this progress.
Unfortunately, all of these resources often change and take time to consume and it would be difficult to cover all the channels, even with a small team of dedicated security engineers. This is where the security-minded development team greatly helps disperse the information load. These developers distinguish themselves by considering and discussing the potential security implications of implementation in addition to the business requirements, often because they are already interested in and subscribed to security-related content.
For Principal Architect KC Berg, building an API means sticking with what works at StackHawk, a SaaS startup that enables engineers to fix security bugs throughout the CI/CD pipeline. Berg uses frameworks that have a history of handling security issues, and he proactively looks to sources like Hacker News and security subreddits to stay aware of evolving cyberthreats.
When building a new API, what best practices do you follow to ensure it's developed with security top of mind?
Pick a style and stick with it, such as REST, JSONP, GraphQL, etc. Also, use a framework. Don’t reinvent the wheel and the mistakes of implementing an API style. Look for a framework that has a history of handling security issues well.
Do authentication and authorization first. Even if you’re unsure what the future authorization needs and roles are, put the mechanisms in first because bolting on authorization later is a nightmare.
Go deep on the framework you choose. If you’re making your API dependent on a framework, take the time to download the source, learn the framework, extend it, and keep up to date with its security practices.
Handle input validation, logging and error handling globally. Many frameworks make this easy, but it’s worth thinking about these functions in a central or common location. Doing these actions at each route level will lead to bugs and maintainability issues.
Don’t forget about data tenancy. Implement safeguards into your APIs so it’s not possible for customers to see each other’s data, either by user or programmer error.
Do authentication and authorization first.”
What tools does your team use to monitor and manage your APIs?
When we were first bootstrapping our infrastructure, we did a technical survey and decided to go with SpringBoot 2 as our API framework. We wanted a JVM-based framework for stability and performance, and SpringBoot’s libraries, integrations and tooling are rock solid. We also knew that SpringSecurity was robust yet flexible enough for whatever we needed.
Generally, we stick with the recommended best practices in SpringBoot, using RestController with its validation, security and parameter handling. Micrometer is the default metrics collector in SpringBoot, so we use that with Prometheus and Grafana for monitoring and alerts.
How do you stay up to date with evolving cyber threats, security best practices and government regulations around data privacy and security?
We keep up to date with our frameworks like SpringSecurity by signing up for their newsletters and reading other news sources such as Hacker News, security subreddits, NIST monthly summaries, and more. We attend or listen to talks from OWASP, Black Hat, BSides, DevSecCon and similar conferences. We are also big fans of relying on automated tooling to help ensure that we keep our application secure.