API Security: An Overview| By |Goran Begic

API Security.pngMany modern web or mobile applications use an application programming interface (API) on the back end. As a set of tools and protocols that enable developers to provide flexibility and scalability in the front end applications, APIs are an excellent way to enable connections with partners, systems, and other developers. As the back end of client facing applications, therefore, securing APIs is critical to protecting users and connected systems.

APIs can be either public or private. Private APIs are used only for specific, dedicated client applications. However, private APIs do not provide any additional security. Client applications can be reverse engineered and popular front-end technologies like JavaScript make it easy for hackers to discover and abuse APIs.

The primary security concerns for APIs are with authentication and authorization of users.

  • Authentication is what determines the identity of a user and confirms if a user is who s/he claims to be.
  • Authorization is what determines the functions, data, and/or folders a particular user is allowed access to.

Both authentication and authorization present significant security challenges. Just as one can not trust client applications with API access, one can not blindly trust the identity of users connecting with your systems. Often applications are vulnerable to brute force attacks like credential stuffing, session stealing, and other forms of impersonation of valid user. Account takeover (ATO) is often the first phase of an attack on a system. It is also a popular method of gaining access to authenticated API services, given all the data breaches in recent years and the habit of many people to reuse passwords. Thus, these two activities in particular require additional layers of protection.

In addition to attacks on user identity , APIs are also vulnerable to injection attacks like SQL injection or remote command execution attacks, which enable hackers to basically take over the entire system for their own purposes.

To secure APIs and the web applications that use them, it is critical that developers follow secure coding guidelines, use robust application security testing tools, and runtime application self-protection (RASP) to identify vulnerabilities and prevent exploitation of those vulnerabilities that do exist.

via Technology & Innovation Articles on Business 2 Community http://ift.tt/2gQGx4X

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s