DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

[DZone Research] Observability + Performance: We want to hear your experience and insights. Join us for our annual survey (enter to win $$).

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Essential Mobile App Security Tips for Coders in 2023: Make Your App Unhackable
  • Creating a Secure REST API in Node.js
  • Secure API Design With OpenAPI Specification
  • Keys to API Management

Trending

  • Reflections From a DBA
  • JWT Token Revocation: Centralized Control vs. Distributed Kafka Handling
  • Build a Serverless App Fast With Zipper: Write TypeScript, Offload Everything Else
  • Navigating the Skies
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security: An Overview

API Security: An Overview

An introduction and high-level look at the primary concerns of API security: authentication and authorization of users.

Goran Begic user avatar by
Goran Begic
·
Jan. 17, 17 · Opinion
Like (4)
Save
Tweet
Share
6.94K Views

Join the DZone community and get the full member experience.

Join For Free

Many modern web or mobile applications use an application programming interface (API) on the back end. As a set of tools and protocols that enable developers to provide flexibility and scalability in the front end applications, APIs are an excellent way to enable connections with partners, systems, and other developers. As the back end of client facing applications, therefore, securing APIs is critical to protecting users and connected systems.

APIs can be either public or private. Private APIs are used only for specific, dedicated client applications. However, private APIs do not provide any additional security. Client applications can be reverse engineered and popular front-end technologies like JavaScript make it easy for hackers to discover and abuse APIs.

The primary security concerns for APIs are with authentication and authorization of users.

  • Authentication is what determines the identity of a user and confirms if a user is who s/he claims to be.
  • Authorization is what determines the functions, data, and/or folders a particular user is allowed access to.

Both authentication and authorization present significant security challenges. Just as one can not trust client applications with API access, one can not blindly trust the identity of users connecting with your systems. Often applications are vulnerable to brute force attacks like credential stuffing, session stealing, and other forms of impersonation of valid user. Account takeover (ATO) is often the first phase of an attack on a system. It is also a popular method of gaining access to authenticated API services, given all the data breaches in recent years and the habit of many people to reuse passwords. Thus, these two activities in particular require additional layers of protection.

In addition to attacks on user identity , APIs are also vulnerable to injection attacks like SQL injection or remote command execution attacks, which enable hackers to basically take over the entire system for their own purposes.

To secure APIs and the web applications that use them, it is critical that developers follow secure coding guidelines, use robust application security testing tools, and runtime application self-protection (RASP) to identify vulnerabilities and prevent exploitation of those vulnerabilities that do exist.

API security mobile app

Published at DZone with permission of Goran Begic, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Essential Mobile App Security Tips for Coders in 2023: Make Your App Unhackable
  • Creating a Secure REST API in Node.js
  • Secure API Design With OpenAPI Specification
  • Keys to API Management

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: