API Security: Is It Really Crucial?

26 July 2017 |


Perhaps, there is no man in the whole world, who wouldn’t have locked his property under seven seals, protecting it from thieves. Various locks and padlocks, solid construction doors, windows with burglar-resistant glass, alarm systems and much more are used to ensure security. Wonder how all this anticrime measures refer to API? I can say with 100% sure that it is directly concerned with Application Programming Interface. Let’s look closer why it comes to be true.

In e-Commerce, API enables various apps to integrate with shopping carts, performing info interaction in fast and secure way. This API-based approach of connecting to different platforms is considered to be effective and simple method of communication and data sharing. However, all transferred information appears to be a ‘property’ that has to be protected against attacks.

Scott Morrison at CA Technologies has described this problem in his e-book “Five Simple Strategies for Securing APIs”. He outlines 3 major attack vectors that developers should look out for. Also the book describes 5 mitigation strategies to publish APIs more securely. Have a look at this digital content for better understanding how to build safer APIs.

Strategy 1. Validate Parameters


The first step for any resilient API implementation is to sanitize all incoming data to confirm that it is valid and will not cause harm. The single most effective defense against parameter manipulation and injection attacks is to validate all incoming data against a strict schema—effectively a description of what are considered permissible inputs to the system. Schema validation should be as restrictive as possible, using typing, ranges, sets and even explicit white listing whenever possible. Consider also that the automatically generated schemas produced from many development tools often reduce all parameters to models that are much too broad to be effective at identifying potential threats. Hand-built schemas and white lists are more preferred because developers can constrain inputs based on their understanding of the data model an application expects.

One option for XML-based content types is to use the XML schema language, which is highly effective in creating restricted content models and highly constrained structure. For the increasingly common JSON data types, there are several JSON schema description languages. Although not as rich as XML, JSON is far simpler to compose and understand—offering a transparency which actually makes it simpler to secure.

Strategy 2. Apply Explicit Threat Detection


Good schema validation can protect against many injection attacks, but consider also explicit scanning for common attack signatures. SQL injection or script injection attacks often betray themselves by following common patterns that are easy to spot by scanning raw input.

Consider also that attacks may take other forms, such as a denial of service (DoS). Leverage networking infrastructure to spot and mitigate network-level DoS assaults, but also check for DoS attacks that exploit parameters. Very large messages, heavily nested data structures, or overly complex data structures can all result in an effective denial-of-service attack that needlessly consumes resources on an affected API server.

Apply virus detection to all potentially risky encoded content. APIs involved in file transfer should decode base64 attachments and submit these to server-grade virus scanning before persisting to a file system where they could be inadvertently activated.

Strategy 3. Turn on SSL Everywhere


Make SSL/TLS the rule for all APIs. In the 21st century, SSL isn’t a luxury; it is a basic requirement. Adding SSL/TLS—and applying this correctly—is an effective defense against the risk of man-in-the-middle attacks.

SSL/TLS provides integrity on all data exchanged between a client and a server, including important access tokens such as those used in OAuth. It optionally provides client-side authentication using certificates, which is important in many environments.

Strategy 4. Apply Rigorous Authentication and Authorisation


User and app identity are concepts that must be implemented and managed separately. Consider authorization based on a broad identity context, including practical factors such as incoming IP address (if known to be fixed or within a particular range), access time windows, device identification (useful for mobile apps), geolocation, etc.

OAuth is quickly becoming the go-to resource for user-centric API authorization, but it still remains a complex, rapidly changing, and difficult technology. Developers should defer to the basic, well-understood OAuth use cases and always use existing libraries rather than trying to build their own.

Strategy 5. Use Proven Solutions


The first rule of security is: Do not invent your own. There is no reason to create your own API security framework, as there are excellent security solutions that already exist for APIs. The challenge lies in applying them correctly.

The best way to secure your API from any type of intrusion is to separate out API implementation and API security into distinct tiers. This is a very logical separation of concerns, one that focuses expertise on the right problem at the right time.

This approach frees an API developer to focus completely on the application domain, ensuring that each API is well-designed and promotes integration between different apps. Security then falls into the domain of the expert, who can focus solely on identity, threats, and data security.

I expect that this article is useful to read as API provides a great possibility to integrate apps easily and quickly. However, in the same time it is a double-edged sword that increases the risk of hackers attacks. If a developer takes care about security before API designing, he will reap the rewards of this technology extremely securely.

API2Cart as an API provider strives to ensure integration security and offers the reliable tool to perform connection to 30+ shopping carts, including Magento, WooCommerce, Bigcommerce, Shopify, PrestaShop, OpenCart and others.

If you have some questions about API2Cart’s API security, don’t hesitate to schedule a FREE Call with our expert. We are always ready to provide an advice according to your specific business needs and demands.