The FireTail API security blog starts now

THE FOCUS OF FIRETAIL

Here at FireTail, we believe that API security is crucial moving forward. We are focused on what we believe will be the next attack vector – the API. APIs (application programming interfaces) are the way that two pieces of software can talk to each other. On the modern Internet, API interactions happen trillions of times per day, maybe even trillions per hour.

API – the application programming interface concept

EXAMPLE OF AN API

One of the easiest ways to think about an API is any mobile application. Pull out your smartphone and look at any app that helps you accomplish a task, like booking a table, checking in for a flight, ordering food, getting a ride, etc. As you can imagine, that whole process does not take place on your phone. You’ll create some portion of the transaction on your phone, maybe choosing what dishes go into your dinner order, but then that order has to be sent to the restaurant, with a driver coordinated to do the delivery, and credit card payment processed. This might involve as many as 10 interactions with different APIs to complete one single order. Again, this happens trillions of times per day.

WHAT IS API SECURITY?

API security is exactly what it sounds like – the security of the API components that enable and transact the connection between two pieces of software. Can we be sure that the connection is private, and only being used in the way that it was intended? There are many aspects of API security, which we will cover in a forthcoming whitepaper specifically on API security considerations and best practices.

WHAT WILL THIS BLOG COVER?

This is the FireTail.io blog, so naturally you can expect this blog to share information about our company, our progress and our product. But you’ll also find our analysis of API security data breaches, and trends that we see in the market. We’ll also cover events and media appearances

API Security Best Practices

Best practices in API security will be a key focal area of this blog. While many API security best practices are similar to cloud security best practices or application security best practices, there are some technical nuances that are unique to APIs. Whenever a set of security recommendations or security challenges is discussed, FireTail will do our best to highlight the differences. Some high-level best practices for security in APIs include:

• Secure infrastructure configuration
• Secure software development, including code analysis, supply chain security and pre-release security testing
• Strong authentication
• Server-side authorization for each subsequent, valid, properly authorized API call
• Enforcing principles of least privilege for both internal and external API consumers
• Validating and sanitizing data inputs, and then only sending and receiving the required data elements for API request parameters, payloads and response payloads
• Network security around the API
• Reviewing a threat model around APIs
• Designing, monitoring and enforcing controls to prevent breaches from known risks and attack vectors, such as those described in the OWASP API Top 10

REST API Security

REST, or representational state transfer, is the leading paradigm for APIs. REST API security really means API security, such as the best practices described above. In particular, given that REST communications are typically formatted in JSON (JavaScript Object Notation) format, REST API security practices should inspect the JSON objects sent and received. Some attack vectors, like injection, rely on APIs not checking JSON objects closely.

The role of an API Gateway for API security

An API gateway is a network interface, like a reverse proxy, sitting logically or topologically in front of an API, to accept API calls, route the calls to the appropriate API service or endoint, and return results to the API consumer. API Gateways can provide valuable services like presenting network visibility of APIs, allowing for decoupling of the API from the network interface point (IP address or DNS entry) so that APIs can be rotated, updated or A/B tested behind a gateway, and to enable horizontal scaling.

Some API Gateway technologies, such as those from leading public cloud providers, may also provide features that are useful in API security, such as rate limiting and pagination. However, API Gateways most likely do not inspect request/response payloads and cannot look into authentication, authorization or data management logic.

API security testing

A comprehensive API security strategy will always include end-to-end planning and controls, from design to production. One critical step of this process will be both the logical and security testing of the API. While logical testing of the API will check that the API is functioning as intended, API security testing will typically focus on a few key questions:

• Does the API check authentication? Can unauthenticated users access restricted parts of the API?
• Does the API check authorization? Is authentication being used as a substitute for authorization? 
• Can property authenticated and authorized users access any unexpected functions or data?
• Are only the necessary, specified and correct data elements being sent and received with each API call?

API Security - OWASP API Top 10

OWASP - the Open Worldwide Application Security Project - provides a "top 10" list for API security risks. However, as of the time of the publication of this article, the OWASP API Top 10 is 3 years old, which is somewhat dated by the norms of the modern cloud. As this list is updated with newly discovered API attack vectors, exploits or commonly breached design flaws, the FireTail blog and newsletter will provide updates.