by June 17th, 2015on
Common API Threats: spoofing, tampering, repudiation, denial of service, unauthorized access, confidentiality violation
Identification – Know Your Consumer
The common approach to implementing this is using API keys, which are nothing but randomly generated values that will vary for each consumer.
Authentication – is Consumer Authentic
User-Password over SSl/TSL: the API consumer will be providing a user password to ensure their authenticity.
OAuth – Additional Security by providing token-based access, and the token can have attributes like expiration, which means
any user can perform certain activity for certain period of time and then later on they need to renew or get a new token
depending on what strategy is being implemented.
SAML – Another mechanism for Authentication. Security Assertion Markup Language (SAML) is an XML standard for injecting
Assertions. Typically, the identity provider will validate the user’s identity and insert appropriate assertions to describe things like what application, resource users have access, roles etc.
OpenID is another solution that gives funcationality similar to OAuth and SAML
Authorization – Is consumer authorized to perform a certain action?
Apart from these basic things, one might also want to consider following:
Json Attack: Since most of the API accept or return JSON response, the response can be intercepted in middle. We can have API Gateway taking care of this for all request responses.
Data Protection : Depending on the information being sent or received, we might need to encrypt certain data elements or mask data so that it will be difficult to guess or figure out what they are and what they really mean. For example, PHI or PCI information.