If you work in any area of application programming interface (API) development, you’ll know that there are always concerns. Will the software manage errors effectively? How will it cope with large datasets? The list seems endless at times. One major concern many developers focus on is the security threats their APIs may face.
With the cost of cybercrime expected to reach $13.82 trillion by 2028, the issue of cybersecurity is very real. If you are developing REST APIs, what threats might you face, and how should you be tackling them? Should you have a checklist of best practices during development to minimize any potential threats?
What is REST API?
An application programming interface (API) is a list of protocols and definitions developers use when building application software. To define it simply, it’s a ‘contract’ between the application user and the application. You could also see it as a communication conduit that communicates a request and allows for an exchange of information and/or data.
REST API (you may also hear the term RESTful API) is an application programming interface developers utilize when working in the REST (representational state transfer) architecture that allows for communication between RESTful web services.
REST API security threats
To paraphrase Sun Tzu, knowing your enemy is crucial. By knowing what cyber security threats (especially the most common ones) your REST API may face, you can better plan for how to prevent those threats.
We’ve listed some of them below:
- Denial of Service (DoS): When a DoS attack occurs, the system is overloaded by an enormous amount of messages sent by a cybercriminal. If your REST API experiences a successful DoS attack, then it could be rendered non-functional and accessed by the attackers.
- Injection attack: This attack can allow cybercriminals access to often sensitive data and information. The attacker embeds a dangerous code into unsecured programs, often SQL injection or cross-site scripting.
- Sensitive data exposure: If there is a lack of encryption at any point in how your API handles data, then it may be exposed to attack. When you consider that a lot of data (health details, credit card info, etc.) is highly confidential, unsecured data can be a major risk.
- Broken authentication: If you have inadequate or missing authentication, you are leaving your API and app open to a cyberattack. From passwords to JSON web tokens to API keys, this can be a major weak point if not tackled.
- Parameter tampering: If a cybercriminal manipulates the parameters that are exchanged between user and server, they can modify various data in the application such as prices, product quantities, and user credentials. This can pose a major risk to enterprise collaboration systems.
- Man in the Middle (MITM): As the name suggests, with this type of attack, the cybercriminal positions themselves between two systems and intercepts the communications. This allows them to alter or steal any confidential data. There are two stages to MITM attacks; interception and decryption.
- Broken access control: Access control (or authorization) is how you limit access to some functions or contents. If your access control is faulty or flawed, attackers can access data or take control of accounts.
Moreover, Implementing proxy detection mechanisms can help identify and mitigate attacks originating from suspicious or anonymized sources, adding an essential layer to your security framework.
9 best security practices for REST API development
You are now aware of some of the most common security threats your REST API may face. You have to assume that any program or system is under threat, whether it is a banking app or an AI customer care program. In the development stage, what security measures should you implement or advise users to use?
1. TLS (transport layer security) encryption
The data transferred by your API—such as B2B intent data—is important and can have varying degrees of confidentiality. If you use TLS for your API, then all communications between the end user and the application will be encrypted.
TLS is not only good for your REST API but also for your web app. It will also secure any authentication credentials such as passwords, tokens, or API keys.
2. Have a robust authentication and authorization model
You may use common techniques—such as security tokens or API keys—to manage access to your REST API. However, managing those keys and tokens can present its own challenges.
The complexity of managing those access options can lead to security vulnerabilities for your REST API. You can reduce security risks in this area by integrating your API with an identity management system that will both issue and authenticate tokens and keys. You can also use a centralized gateway for your API that will protect your data.
3. Keep URLs free of sensitive information
One of the most common design flaws with REST APIs is the inclusion of sensitive information in the URL. This can include things such as API keys, user credentials, or tokens. Even if you are using TLS, cybercriminals can easily discover this information.
You also have to consider that your URL may be logged frequently by the servers it passes through and any networking devices on the API’s data path. This can expose any sensitive information to further threats. Always ensure that any URL you use is free of all sensitive data and that you follow online security protocols.
4. Utilize the cloud for large API security datasets
If you operate your API security on-premises, then you will have a limit when it comes to analyzing activity. Not only are you limited to short windows, but that API data is then discarded. Given that many cyberattacks are ‘slow burn’ and can happen over weeks or months, this can render your security ineffectual.
If you instead use the cloud for data from your API’s activity, you are accessing the computational power and scalability to analyze activity over longer periods. It also means you can conduct more detailed analyses and boost your security.
5. Use behavioral analytics
The power afforded you by using the cloud for API activity data also means that, once you have accumulated enough activity data, you can use behavioral analytics. Behavioral analytics can be very useful when it comes to formulating an outbound sales strategy, but it can also be an important tool in your security strategy.
Furthermore, incorporating tools like a cold emailing tool to enhance engagement can optimize your interactions with potential clients, leveraging the insights gained from your data analysis. This approach not only supports sales initiatives but is also an important tool in your security strategy.
The first benefit of applying behavioral analytics is that it identifies all the players and may include end users as well as legitimate business processes. You can then identify ‘normal’ patterns of usage and, from that, make it easier to identify any ‘abnormal’ behavior that may indicate a security threat.
6. Implement continuous discovery
It’s not always about the REST API you’re developing now. Even with the best security measures, developers can be caught out by ‘shadow’ APIs. These could exist in old legacy infrastructure or may have been implemented outside of your normal processes. Whatever their origins, they can pose a real threat to your API’s security.
Utilizing collaboration software in this continuous discovery process can ensure that information about all APIs is shared and understood by all relevant teams, enhancing transparency and proactive management.
By implementing continuous discovery, you can build an inventory of all APIs. You should be looking at data from API activity that includes the following sources:
- Any API gateways
- Your content delivery networks (CDN)
- Cloud provider logs
- Log management systems
Analyzing the data collected from these sources will identify all APIs in use across your systems. If you find other REST APIs that are now defunct but causing issues, you can look to remove or decommission them.
7. Provide narrow definitions for requests and responses
Cybercriminals look to utilize APIs in malicious ways. This means that a request (or response) may not be what it purports to be. By providing narrow definitions for API requests—such as format, parameter types, length, etc.—you reduce the chances of an attack using requests to your API.
It can also help if you extend these narrow definitions that your REST API is able to provide. Consider limiting the responses to content types such as GET or POST.
8. Share and collaborate
It may seem obvious, but one of the best security practices you can follow is to share and collaborate. Highlighting how your REST API is being used, and what security threats it faces (or any vulnerabilities you may have identified) and sharing that information with your DevOps team and other relevant personnel can help mitigate risk. This can be especially helpful if you have teams using cross-platform development tools.
9. Be proactive and hunt for threats
Don’t wait till threats become a very real risk, seek them out so you can take action. If you do wait, then there is a chance that a risk becomes an incident, one that could damage your business. Implementing preventive maintenance for your systems and regularly updating security protocols can further strengthen your defenses against potential breaches.
If you go looking for threats, you may find there have been unsuccessful attempts but these can help you find weaknesses and shore them up.
Close analysis of your API’s usage activity can also expose any previously undiscovered vulnerabilities before they are exploited. As the saying goes, prevention is better than cure.
The takeaway
As cyber criminals get cleverer and find new and innovative ways to mount attacks, you need to keep up with them or ideally ahead of them. These criminals often find APIs as a convenient way of gaining access to an app or system and stealing any data and information used and stored there.
There will always be attacks and there will always be vulnerabilities with REST APIs, but developers have a responsibility to reduce and mitigate any identified risks. By following these best practices, you are taking an important step to making your API less prone to any attack.
Austin Guanzon – Tier 1 Support Manager
Austin Guanzon is the Tier 1 Support Manager for Dialpad, the leading AI-powered customer intelligence platform. He is a customer retention and technical support expert, with experience at some of the largest tech service companies in the US.You can find him on LinkedIn.