Overlooked essentials: API security best practices

In this Help Net Security, Ankita Gupta, CEO at Akto, discusses API security best practices, advocating for authentication protocols like OAuth 2.0 and OpenID Connect, strict HTTPS encryption, and the use of JWTs for stateless authentication.

Gupta recommends role-based access control (RBAC) and attribute-based access control (ABAC) for effective authorization management.

When implementing authentication and authorization mechanisms for APIs, what are some of the best practices you’ve found effective?

For authentication, start with OAuth 2.0 and OpenID Connect. These frameworks provide robust, standardized protocols that facilitate secure authentication and authorization across your applications and services.

JSON Web Tokens (JWT) are particularly effective for stateless authentication. They allow for secure data transmission without the need for server-side storage. Ensure that tokens are properly signed with a strong algorithm, have short expiration times to reduce risk, and utilize refresh tokens for maintaining long-lived sessions.

Always use HTTPS to encrypt data in transit. This is non-negotiable as it prevents interception and tampering of data between the client and server.

API keys should be employed to identify and authenticate requests. Rotate these keys periodically to mitigate the risk of compromised keys, and ensure they are revoked promptly if a breach is suspected.

For authorization, implement role-based access control (RBAC). Define clear roles with specific permissions tailored to the needs of different user groups. Regularly audit these roles to ensure they are still appropriate and relevant.

Incorporate attribute-based access control (ABAC) to add a layer of dynamic policy management. Enforce policies based on user attributes, resource attributes, and environmental conditions.

Adhere to the principle of least privilege. Only grant permissions that are necessary for users to perform their tasks. This minimizes the potential damage from compromised accounts or insider threats.

Fine-grained access control is also important. Manage permissions at the level of individual API endpoints or specific actions to ensure precise control over what users can and cannot do.

Context-aware access control further enhances security by considering factors such as the user’s location, device type, and the time of the access request.

Ensure comprehensive logging and monitoring of all authentication and authorization events. Lastly, integrate security into the SDLC from the beginning. Use shift left tools to catch authentication and authorization issues early in the development process, ensuring that security is a foundational aspect of your API.

What metrics or indicators should organizations focus on to detect and respond to API security threats?

In my experience, there are six important indicators organizations should focus on to detect and respond to API security threats effectively – shadow APIs, APIs exposed to the internet, APIs handling sensitive data, unauthenticated APIs, APIs with authorization flaws, APIs with improper rate limiting. Let me expand on this further.

Shadow APIs: Firstly, it’s important to identify and monitor shadow APIs. These are undocumented or unmanaged APIs that can pose significant security risks.

Internet-exposed APIs: Limit and closely track the number of APIs accessible publicly. These are more prone to external threats.

APIs handling sensitive data: APIs that process sensitive data and are also publicly accessible are among the most vulnerable. They should be prioritized for security measures.

Unauthenticated APIs: An API lacking proper authentication is an open invitation to threats. Always have a catalog of unauthenticated APIs and ensure they are not vulnerable to data leaks.

APIs with authorization flaws: Maintain an inventory of APIs with authorization vulnerabilities. These APIs are susceptible to unauthorized access and misuse. Implement a process to fix these vulnerabilities as a priority.

APIs with improper rate limiting: Credential stuffing or brute force attacks are the most common API attacks. Organizations should always know if a rate limit is enforced on critical APIs such as login, signup, forgot password, and password reset APIs.

What are some of the best practices for API security that you believe are often overlooked by organizations?

One of the most overlooked best practices in API security is properly managing API endpoints throughout their lifecycle. Most organizations often fail to deprecate old APIs properly, leaving them exposed and vulnerable. They don’t implement a robust API lifecycle management process that includes proper versioning, deprecation, and retirement of APIs.

API security checks throughout the DevSecOps pipeline, especially with a shift-left approach, are forgotten or often not implemented thoroughly.

Input validation and sanitization is the answer to avoiding most of API injection vulnerabilities and are often not implemented properly. Ensuring strict validation on both client and server sides helps tremendously in preventing API attacks.

Implementing and securing API gateways is often overlooked. API gateways are central points of access and control but can become single points of failure if not properly secured.

Rate limiting and throttling are sometimes underutilized. While they are crucial for preventing abuse and denial-of-service attacks, not all organizations implement them effectively.

Zero trust architecture is an advanced practice that’s often overlooked. Adopting a zero-trust model for APIs involves continuously verifying the identity and authorization of each entity accessing the API, regardless of their location within or outside the network.

Finally, encryption of data at rest is often neglected. While encrypting data in transit is standard practice, ensuring that sensitive data stored by APIs is also encrypted adds an additional layer of security. Use encryption and key management best practices to mitigate risk.

Can you share any notable examples of API security breaches and the lessons learned from them?

Let me give you my analysis of five high-profile API security breaches.

Dell (2024): Dell suffered a massive breach where attackers exploited a poorly secured partner portal API to scrape data of 49 million customers. The hacker registered fake partner accounts and used a script to generate 7-digit service tags, sending over 5,000 requests per minute for nearly three weeks without detection. The API lacked rate limiting and adequate monitoring, allowing the attacker to harvest names, addresses, order details, and more. Key takeaway? It’s absolutely essential to implement robust rate limiting.

23andMe (2023): The genetic testing company 23andMe was hit by a credential stuffing attack, which allowed hackers to access the personal data of 6.9 million users. Attackers used credentials obtained from other breaches to log into accounts lacking multi-factor authentication. The key solution? Enforce multi-factor authentication (MFA).

Twitter (2023): Twitter suffered a breach due to an API vulnerability that allowed hackers to match email addresses and phone numbers with user accounts. This resulted in the exposure of data for over 5.4 million users. The attackers combined this information with public data to create comprehensive user profiles. Key lesson is to implement robust input validation and conduct integrate security checks in CI/CD.

Optus (2022): Optus suffered a breach in which attackers exploited an internal, unauthenticated API endpoint that was exposed to the Internet to access customer data, including names, addresses, and ID numbers. The lesson here is to have a complete inventory of APIs and make sure all API endpoints are authenticated, and unauthenticated APIs are not exposed to the Internet.

T-Mobile (2023): T-Mobile experienced a major breach where attackers exploited an API to access the personal information of 37 million customers. The attackers stole data, including names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile account details. The solution? Encrypt sensitive data both at rest and in transit to protect it from unauthorized access.

What emerging trends or technologies do you foresee significantly impacting API security in the coming years?

I foresee a clear shift in how large organizations will approach API security in the coming years. They will become even more proactive, deeply embracing a shift-left mentality, and developers will heavily rely on AI to write and maintain code.

One significant trend will be the increasing use of AI in code generation. While AI will dramatically accelerate development, it will also introduce new vulnerabilities that might not be immediately apparent. Organizations must enhance their code review processes to catch these vulnerabilities early and ensure security.

The adoption of microservices architecture will continue to transform the security landscape. As microservices proliferate, they multiply the number of APIs, each presenting a potential attack surface. Companies must implement even more robust API gateways and comprehensive monitoring systems to manage these risks effectively.

As organizations migrate more from on-premises to cloud environments, they will face new and evolving security challenges. The shared responsibility model will require organizations to fully secure their APIs and data in the cloud.

DevSecOps and the shift-left API security strategy will become the default way of running application security programs across sectors. By integrating security into every stage of the development lifecycle, organizations can identify and mitigate issues much earlier, reducing costs and complexities associated with security fixes.

Vendors and organizations will use large language models (LLMs) for vulnerability detection and fixing. Businesses will use LLMs to analyze vast amounts of code to identify security issues and provide real-time fixes, significantly enhancing the speed and accuracy of vulnerability detection and remediation.

Finally, vendors will increasingly integrate security features directly into development tools. This proactive approach will become crucial as development speeds increase, ensuring that security keeps pace with rapid innovation.