How to Mitigate Security Risks with APIs

APIs in the Current World

With the advancement of SOA and new-age technologies coming door-to-door, we see how the Internet of Things is touching our everyday lives, be it from Apple Watch and Fitbit to building apps in automobiles, banking, the retail industry, etc.

I recently read somewhere that eCommerce for JC Penny is gaining more popularity, reducing the in-store presence of their customer base and leveraging online and mobile channels to better promote their products.

Risks Exposed by APIs

All of this functionality comes with the exposure of APIs for third-party developers to use and build their apps. But exposing APIs over public network comes with its own risks.

We all know that hacking has grown in frequency and seriousness. Just a few of the recent hacking attempts and attacks to customer-sensitive data are:

• 6 million Snapchat customer credentials were published
• Yahoo experienced breach of data over the internet
• API vulnerability exposed accounts of Delmarva power customers
• Nissan also came under scrutiny for a potential hack

There are different kinds of vulnerabilities and risks that lead to these hacks:

1. Client Impersonation

A hacker is able to gain access to client apps by impersonating the client, thereby gaining access to client info.

2. Phising

Choosing a Global Software Development Partner to Accelerate Your Digital Strategy

To be successful and outpace the competition, you need a software development partner that excels in exactly the type of digital projects you are now faced with accelerating, and in the most cost effective and optimized way possible.

Get the Guide

Phishing is caused by a redirection-based handshake in OAuth 2.0. A hacker inserts his own URL as a callback and gets access to the token from OAuth server. This vulnerability could cause malicious entry of hackers into the systems that are not supposed to be accessed.

3. Brute Force

When the hacker is trying this “exhaustive effort” to get into the system using certain patterns, it could open up the security aspects and allow entry into the DMZ and internal systems. This is a very common kind of attack often tried by malicious users.

4. Injections

Hackers are able to inject code snippets into the client call and hence is able to gain access. This can happen in the form of SQL, LDAP, Xpath, XQuery, and other code injections. For example:

Select * from Table where id=’12312’ or ‘1’=’1’. Here the second condition will always evaluate to true thereby allowing injections and getting all records from table back.

5. Denial of Service

This is one of the most common forms of attack on network systems. In APIs, when a client has a certain predetermined number of calls (rate limited) for some APIs as part of their contract, if the hacker keeps calling these APIs and max out the number of API calls, it could potentially prevent the client from being able to make those calls again since the APIs would be monetized.

How to Mitigate Those Risks

API management provides techniques to mitigate most of these problems.

APIs integrate data across multiple platforms by maintaining a common channel for data to move across mobile, portals, wearable, or other devices and require proper authentication techniques the for user to login and gain access to information via API gateways.

1. APIs help to maintain core data and access using system-level code APIs in a secured zone. These core APIs sit in the secured zone and hence can ONLY be accessed using a call from the demilitarized zone (DMZ) layer.
2. APIs configure a gateway in the DMZ zone for the process-layer, which is responsible for:

• Authentication of all users trying to access the system level information, including core data and backend systems
• Prevention of most code injection techniques by doing request pattern matching, schema validation, etc. and hence mitigating further risks of any sort on the trusted system layer
• Enabled access to control features, such as the number of calls per API during a specified time, restriction of certain sub-domains, and IP addresses from a core API, availability of certain services at certain specified times, etc.

3. In addition to the system layer in the secured zone and process layer in DMZ layer, API management solutions can also provide an “experience layer” which is used to expose APIs, market APIs to third-party application developers, and monetize them.

This layer can be used more like an “explorer” layer where any interaction with outside work, businesses as well as some reports on advanced analytics of API traffic can be generated.

In conclusion, API management solves most of the security threats that can be potentially faced by organizations, businesses, and groups that are looking to leverage APIs for increased profits and future growth. Even though it may not be a sufficient condition to ensure security and success, it is definitely a necessary step toward ensuring the success of any business that requires use of more than just a monolithic-based architecture for its technology implementation and has external consumers, which is the case with most of the organizations.