Application Programming Interfaces (APIs) are a set of protocols used in building and integrating application software. REST API is short for RESTful API, with REST standing for “Representational State Transfer,” a design and communication approach. REST is a simple and flexible mode of structuring web API. It easily conforms API to architectural constraints associated with web applications.
Based on its flexibility, REST API can be designed in several ways to impact how data is passed in a request. Therefore, being an HTTP-based protocol, any user with an internet connection can access the API. This is where API security issues arise. With the number of APIs increasing globally, over a quarter of businesses use at least twice as many APIs than a year ago, security should be an integral part of the development of APIs. An insecure code can be exploited by attackers for API-based attacks; thus, it is crucial to implement security best practices when developing RESTful APIs.
Best Practices for REST API Security
The following REST API security best practices can help mitigate API attacks:
Use HTTPS or TLS
REST API is an HTTP-based protocol; however, all requests from clients to your API should be encrypted by enabling and enforcing HTTPS from the server. Transport Layer Security (TLS) should be enabled to protect data in transit. Secure Socket Layer (SSL) should be disabled at all levels due to the number of vulnerabilities in the protocol. Encryption policies should be enforced at all possible API mediation layers with legacy protocols and cipher suites disabled.
Implement Authentication and Authorization
Poor authentication and authorization resulting in identification and authentication failures are a critical API vulnerability according to the Open Web Application Security Project Top 10 (OWASP 10). With REST APIs, sessions are stateless; thus, continuously verifying users and programs will help determine whether or not they are authorized to access such data within your organization. It should also be presumed that authenticated sessions have been compromised by analyzing a REST API consumer’s session and requesting additional authentication, denying access, or terminating that session.
Use OAuth2 for Single Sign On (SSO)
While basic authentication can be secure if implemented correctly for most APIs, Open Authorization (OAuth) grants third-party services limited access to an HTTP service. Implementing OAuth for SSO means third-party services act on behalf of users based on secure delegated access. Implementing OpenID Connect allows secure authentication over OAuth (2.0). API keys can also be used where OAuth is unsuitable. The keys should be limited in scope and easily revokable if compromised.
Use an API Gateway
API gateways, when deployed, provide visibility and control over REST API calls for data exchange and functionality. It manages API services and aids the consistent availability and scalability of these services. The gateway management platform handles user authentication, telemetry, and rate-limiting to maintain security between internal services. It also acts as a reverse proxy gatekeeper accepting API calls, coordinating required resources for running services, and returning relevant results upon authentication.
API Client Restrictions
API requests should be restricted to the bare minimum required for running a service. This can be accomplished by limiting supported HTTP methods to prevent misconfigured and malicious clients from performing actions beyond the permissible access level. Only legitimate requests should run, while others should be rejected with an error message.
Scan for Vulnerabilities Regularly
Automatic scans to aid identification and mitigation of vulnerabilities should be maintained throughout the lifecycle of the API. Automated scanning tools detect security gaps by comparing the configuration of your organization’s API against known vulnerability databases. The periodic and automated scan of vulnerabilities aids the continuous security of an organization’s RESTful API.
Deploy API runtime protection
No one can ever perfectly eliminate vulnerabilities from code. And wherever organizations are in their API security journey, they always have a substantial number of APIs already in production. Runtime protection with a dedicated API security solution will keep data and services protected even if developers missed a vulnerability or business logic gap.
Create a REST API Incident Response Playbook
Ensure your Incident Response (IR) team documents Digital Forensics and Incident Response (DFIR) processes taken to REST API attack patterns. An IR playbook detailing common API attacks, intelligence about an attacker, and their techniques should be created. More precision should be employed rather than shutting down a target REST API traffic. Actions like restricting just the suspicious REST API caller, implementing more authentication factors, or monitoring and analyzing the caller and attack behavior should be taken.
Importance Of REST API Security
REST APIs account for 80% of all public web APIs, providing the back end for most mobile applications and IoT devices today while allowing easy integration across systems and applications.
REST APIs are commonly built to:
- Give a networked client access to data on your server.
- Give end-users and programs programmatic access to managed data by your application.
- Allow communication by services within your organization’s application infrastructure.
Any API built for any of the above reasons is susceptible to attacks by threat actors. As a result of the technological similarities between Web APIs and REST APIs, REST APIs are vulnerable to web attacks. Therefore, since APIs are not designed for manual access, testing for vulnerabilities can be complex, especially for undocumented APIs. Hence, minimizing risks through the implementation of security guidelines is advised.
Organizations should constantly ensure that their APIs are functional, secure, and less susceptible to compromise. REST API security should not be a late addition but be included in the API development lifecycle. Practices like authorization and authentication, implementing HTTPS, OAuth, and other best practices should be well observed. Developers and security teams should collaborate and implement technological tools like API gateways as an additional security measure to secure REST APIs.