/ Security Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Security: An Overview

DZone's Guide to

API Security: An Overview

An introduction and high-level look at the primary concerns of API security: authentication and authorization of users.

by
Goran Begic
·
Jan. 17, 17 · Security Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Discover how to protect your applications from known and unknown vulnerabilities.

Many modern web or mobile applications use an application programming interface (API) on the back end. As a set of tools and protocols that enable developers to provide flexibility and scalability in the front end applications, APIs are an excellent way to enable connections with partners, systems, and other developers. As the back end of client facing applications, therefore, securing APIs is critical to protecting users and connected systems.

APIs can be either public or private. Private APIs are used only for specific, dedicated client applications. However, private APIs do not provide any additional security. Client applications can be reverse engineered and popular front-end technologies like JavaScript make it easy for hackers to discover and abuse APIs.

The primary security concerns for APIs are with authentication and authorization of users.

  • Authentication is what determines the identity of a user and confirms if a user is who s/he claims to be.
  • Authorization is what determines the functions, data, and/or folders a particular user is allowed access to.

Both authentication and authorization present significant security challenges. Just as one can not trust client applications with API access, one can not blindly trust the identity of users connecting with your systems. Often applications are vulnerable to brute force attacks like credential stuffing, session stealing, and other forms of impersonation of valid user. Account takeover (ATO) is often the first phase of an attack on a system. It is also a popular method of gaining access to authenticated API services, given all the data breaches in recent years and the habit of many people to reuse passwords. Thus, these two activities in particular require additional layers of protection.

In addition to attacks on user identity , APIs are also vulnerable to injection attacks like SQL injection or remote command execution attacks, which enable hackers to basically take over the entire system for their own purposes.

To secure APIs and the web applications that use them, it is critical that developers follow secure coding guidelines, use robust application security testing tools, and runtime application self-protection (RASP) to identify vulnerabilities and prevent exploitation of those vulnerabilities that do exist.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Like This Article? Read More From DZone

Introduction to SAML for Managers
10 Most Common Web Security Vulnerabilities
API Security: Ways to Authenticate and Authorize

Free DZone Refcard

Java EE Security Essentials
DOWNLOAD
Topics:
security ,api ,integration ,authorization ,authentication

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Goran Begic, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Security Partner Resources

CISO’s Guide to Application Security
Building Security Into Cloud Applications
Learn how to build secure software at enterprise scale.
See how the Agile Security Manifesto can help your firm build secure software in an agile way.
Software Security Testing: Blending Art and Science
Take control of your risk management process by overcoming the 6 most common threat modeling misconceptions.
Traditional Application Security Approaches Are Not Working
Webinar: Secure your apps against a deserialization attack. It's not possible, is it?
Bring your Java apps up to date with the latest Java release with no code changes

Security Partner Resources

CISO’s Guide to Application Security
Building Security Into Cloud Applications
Learn how to build secure software at enterprise scale.
See how the Agile Security Manifesto can help your firm build secure software in an agile way.
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone