6 Ways to Secure APIs
Securing APIs should start from the beginning — from design itself. Below are some patterns that can help secure your APIs.
Join the DZone community and get the full member experience.Join For Free
Migrating to a microservices from old an monolithic application is gaining traction and has become a trend. Most organizations are encouraging developers to create APIs that can help them to achieve digital transformation goals. If you have a complex system to develop but you need to deliver quickly and iteratively over a long period, then going with APIs is a good choice. Now, the question is: How do you secure these APIs? Securing APIs should start from the beginning — from design itself. Below are some patterns that can help secure your APIs.
1. Secure Coding
Developers should think about writing secure code at the beginning. If we follow OWASP (Open Web Application Security Project) guidelines, tools, and training, almost 85% of code vulnerabilities can be fixed. It is very important to validate each and every input that my application receives. For example, let's say my API is accepting name as string parameter and doing some business logic. Instead of just looking for name as not null, make sure to look for a specific pattern, like that name will contain only characters or numbers. This will rule out any pattern which might use for SQL injection.
Most organizations use DevOps, but as we move more toward IoT and robotics, the future is going to be DevSecOps. It involves creating a culture of running security scans as part of DevOps workflow. Web applications and APIs have become primary target for attackers, so it is good to run security gates as part of your CI/CD pipeline. SAST (Static Application Security Testing) and DAST (Dynamic Application Security testing) tools can easily be integrated to run as part of CI/CD pipeline. These tools will able to expose sql injection and other vulnerabilities during build process itself.
3. HTTPS Instead of HTTP
You should use HTTPS everywhere instead of HTTP. HTTPS or SSL provides a secure communication between two devices or machines over internet or intranet. HTTPS and SSL support digital certificates from the server so that if required client and server can authenticate each other.Https protects from man in middle attacks.
4. Access and Identity Tokens
Use of OAuth 2.0 provides a. delegated authorization mechanism. It is one of the widely used industry standards and provides different grant types for different use cases.
The client credential flow of OAuth 2.0 can be used for secure communication between the client and server. The other option is to use JWT for authorization, which provides many more suitable options as per your use case.
5. Scan Code Repositories
Most of our apps or APIs use third-party libraries. These third-party libraries constitute almost 80% of the code base. So, it is very important to scan these third-party libraries for vulnerabilities. We should set up our deployment pipeline in such a way that it does not allow use of these vulnerable third-party libraries. Tools like JFrog Xray and others are available to scan third-party libraries.
6. Protect Secrets
The rule of thumb is to not check any of your API keys, passwords, client credentials, or any other information into source code that can be used to establish unauthorized communication. It is good practice to store these secrets in environment variable. Basically, what we should do is encrypt our secrets and pass them on to the application as external dependency. One of the popular ways of storing secrets in Spring is Spring-Vault.
There are other options too like:
- Using rate limit
- Using firewalls — web and application
- Using API gateway to enforce different policies
Please look for next section to understand these in detail.
Opinions expressed by DZone contributors are their own.