DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • API and Security: From IT to Cyber
  • Securely Sign and Manage Documents Digitally With DocuSign and Ballerina
  • Securing APIs in Modern Web Applications

Trending

  • Infrastructure as Code (IaC) Beyond the Basics
  • Operational Principles, Architecture, Benefits, and Limitations of Artificial Intelligence Large Language Models
  • Agile’s Quarter-Century Crisis
  • Building Reliable LLM-Powered Microservices With Kubernetes on AWS
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue 166

API Security Weekly: Issue 166

In this post, discover more about securing large API ecosystems, creating OpenAPI from HTTP traffic, Frankenstein APIs, and API proliferation.

By 
Colin Domoney user avatar
Colin Domoney
DZone Core CORE ·
Jul. 08, 22 · News
Likes (4)
Comment
Save
Tweet
Share
5.5K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations.

Securing Large API Ecosystems

First up this week is an excellent article from Michał Trojanowski in TheNewStack discussing the challenges facing the security of large API ecosystems. Trojanowski’s view is that security patterns applied to small-scale API deployments do not scale nor are they appropriate for larger-scale API deployments.

APIs tend to grow in either breadth (a flat hierarchy exposing large numbers of APIs directly) or in depth (a nested hierarchy of APIs coupled together):

API Gateway: breadth grown or depth grown

Both patterns present security challenges in their own right, namely:

  • For breadth-grown APIs, any caller with a valid token can access any of the API endpoints — the scope of access is typically too broad to adequately secure the endpoints.
  • For depth-grown APIs, tokens may be reused between layered API endpoints, leading to security issues or leaking tokens to 3rd party services.

Trojanowski suggests some possible solutions to overcoming these challenges.

  1. Use a claims-based authorization scheme (for example, the audience claim aud) to limit the API access for a given token.
  2. Use token-sharing approaches (tokens are exchanged between coupled API services) to limit the scope of downstream services using a token, thus also limiting the impact of lost or leaked tokens.
  3. Use a dedicated entitlement management system, such as Open Policy Agent.

The key takeaway here is that large-scale API deployments are complex and fraught with danger if an overly simplified approach is taken with regard to security.

Creating OpenAPI Definitions From HTTP Traffic

Readers of this newsletter will know I often advocate for an API-design-first strategy based on the OpenAPI Specification (OAS) at its core. The benefits are well established now, including ease of documentation, easier testing and mocking during development, and of course, being able to embed security as early as possible in the design lifecycle.

The biggest challenge to the design-first approach is the fact that in many cases, organizations already have deployed a considerable number of APIs in production that do not have the corresponding OpenAPI definitions. Typically, this presents a challenge to teams to “reverse-engineer” a specification from an existing implementation.

In an article on APIsYouWon’tHate, Phil Sturgeon describes an elegant method to obtain an OpenAPI definition by reverse-engineering based on snooping the HTTP traffic to APIs. The solution uses the Akita observability tool to extract the details for the API definition from the web traffic log. Sturgeon’s approach uses the mitmproxy tool to capture traffic and then dump the traffic in HAR format. The Akita tool is then used to convert the HAR archive into an OpenAPI definition in YAML format.

As the drive toward design-first accelerates, good, robust, and automated solutions for reverse-engineering existing API deployments become increasingly important: this is a great starting point!

“Frankenstein APIs” Explained

Brenton House has written an article on his so-called “Frankenstein APIs” this week, describing them as APIs which are “creatively pieced together using unorthodox methods and is driven by a strong need for functionality.”

House describes “Frankenstein APIs” arising when an existing piece of functionality does not exist and there is a strong business need to provide a bespoke functionality. The most common anti-pattern is that development teams use a variety of non-standard methods and tooling to accomplish the business objective. Unfortunately, the resultant APIs can be notoriously fragile in terms of maintainability, extensibility, and, of course, security. Typically, developers are more focused on simply getting the job done, and delegate or totally omit security controls that might otherwise be required.

This is a quick and fun read on the topic. The key takeaway from House is to fully embrace an API-first strategy and to resist the temptation to rudimentary and fragile shortcuts.

Security Pitfalls of API Proliferation

The final article this week comes from Byron Acohido who discusses how API proliferation is leading to security pitfalls. This thought-provoking article suggests that APIs are rapidly increasing the attack surface of an organization because APIs act as a conduit between various services, each of which may be vulnerable to attacks. Essentially, the API acts as a “built-in tool on steroids”  facilitating attacks by adversaries.

Attackers are increasingly aware of the value of APIs as an attack vector, and many recent major cyber security breaches started with discovery or reconnaissance through public APIs before attackers pivoted to other internal systems. Additionally, APIs are also an invisible attack vector because they are often poorly documented or invisible to traditional protection mechanisms.

Rather unsurprisingly, Acohido’s advice for avoiding such security pitfalls is to fully embrace a shift-left approach toward API development, thereby ensuring that APIs are made visible and that any security issues can be identified and addressed as early as possible.

API security

Published at DZone with permission of Colin Domoney. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • API and Security: From IT to Cyber
  • Securely Sign and Manage Documents Digitally With DocuSign and Ballerina
  • Securing APIs in Modern Web Applications

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!