DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Managing Data Residency, the Demo
  • Integrating AWS With Salesforce Using Terraform
  • MLOps: Definition, Importance, and Implementation

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Managing Data Residency, the Demo
  • Integrating AWS With Salesforce Using Terraform
  • MLOps: Definition, Importance, and Implementation
  1. DZone
  2. Data Engineering
  3. Databases
  4. 5 Simple Strategies for Securing APIs

5 Simple Strategies for Securing APIs

If an organization implements these five strategies as part of an API security architecture, it will have taken many of the steps necessary to keep their data secure.

Bill Oakes user avatar by
Bill Oakes
·
Mar. 10, 17 · Opinion
Like (3)
Save
Tweet
Share
6.82K Views

Join the DZone community and get the full member experience.

Join For Free

I have the privilege of working with some pretty savvy folks when it comes to APIs and security. Scott Morrison, a distinguished engineer at CA, is one of those people. Over the past few years, we saw several incidents that could have been prevented with proper API management and security and the advice from someone with Scott’s experience. Here are five simple strategies for securing APIs, information Scott and the team at CA put together for our customers, and what might happen if you don’t adopt these strategies.

1. Validate Parameters

Validate all incoming data against a list of what’s considered permissible inputs into the system, and make it as restrictive as possible to harden that defense.

And if you don’t? A great example that’s been in the news quite a bit is Niantic, the creators of the Pokemon Go app. The app has a private API (meaning, not published for public consumption) that functions as the access point for the backend application that manages Pokemon Go user interaction and game algorithms.

Note that while Niantic never published an open API, they didn’t secure it sufficiently. That mistake allowed external developers to access and reverse-engineer that API to create apps that access even more information than was publicly visible in the app, ranging from individual value calculators that calculate a Pokemon’s strength, to nearby Pokemon scanners and bots. Other industrious developers in the wild built third-party apps like Pokevision and FastPokeMap. These other apps used Niantic servers as part of the immersive process.

Due to the volume of third-party apps accessing the servers of Niantic, and the processing power necessary to address the requests, downtimes, and server-side issues occurred. To address this, Niantic changed their API so that these applications cannot access the server anymore. However, in less than a week, developers again cracked the new API by reverse engineering the source code and finally gain access to the new interface.

Better validation of incoming API requests for realistic user inputs at realistic rates could have prevented the situation entirely and has been implemented in recent updates.

2. Apply Explicit Threat Detection

Scott suggests that we should scan any input to an API gateway for common attack signatures, SQL injection, or script injection attacks — especially if customer data is involved.

If you don’t? McAfee, a security company, recently was hit with a script injection attack on their anti-malware solution, VirusScan for Linux. While they’ve patched the software, by applying Scott’s advice, they likely wouldn’t have had this vulnerability.

3. Turn on SSL Everywhere

Secure your app from man-in-the-middle (MITM) attacks. SSL is the way to do this. It provides integrity on all exchanges between a client and a server. This is a simple policy to implement, and there’s no downside to doing it.

If you don’t? Both Facebook and Instagram have recently had issues with MITM exposure. In both cases, enforcing SSL would have addressed that exposure.

4. Apply Rigorous Authentication and Authorization

A strong authentication and authorization system needs to be in place. For many situations, OAuth is the most appropriate API authorization technique.

If you don’t? Tesla made the news recently because rather than use OAuth, their Model S engineers chose to develop their own. By simply tapping the owner’s email address and password (done using multiple techniques described in this brief by George Reese), a bad actor could track every move the car makes as well as create economic woes by gaining control of functions and dramatically shortening battery life on trips potentially leaving the owner stranded on the side of the road with a very dead Model S. Reese and Morrison are on the same page on this issue: “OAuth is the proper authentication mechanism for user-to-system authentication.”

5. Use Proven Solutions

Do not invent your own. Yes, they’re out there, but they’re never as solid as a hardened API management solution built from the ground up to provide the security policies to protect your business and its data.

If an organization implements these five strategies as part of an API security architecture, it will have taken many of the steps necessary to keep their data secure.

Do you have any API security successes or mistakes we can learn from? Please share them here the comments.

app API security authentication

Published at DZone with permission of Bill Oakes, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  • Managing Data Residency, the Demo
  • Integrating AWS With Salesforce Using Terraform
  • MLOps: Definition, Importance, and Implementation

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: