Building A Successful API Strategy

The InfoSec Consulting Series #32

By Jay Pope


What’s the most important aspect of an API strategy? Designing for commercial success? Delivering the most productive developer experience? Security? Clearly, they are all important. Security, however, is the one area that cannot be compromised. Data Persistence Security is an essential aspect of all in-house and commercial systems; securing access to in-house or client data is paramount. That means applying the highest grade of security to the APIs that access the data. Here we consider the most common threat vectors and how to mitigate them in API strategy that makes data persistence the cornerstone of security.


Threat Vectors

Security strategy begins with understanding and evaluating the 3 most common attack vectors.


Hackers use a parameter attack to exploit a weakness in a system or its underlying infrastructure. A parameter attack may use an HTTP header, a URL or a query parameter. A typical parameter attack is the use of SQL injection to execute a malicious SQL statement. API’s are vulnerable to this kind of attack for 2 reasons:

  • The parameter name usually indicates its purpose, giving an attacker a clue as to how it may be compromised;
  • The developer coding the API may be familiar with having a web framework carrying out front-end sanitising of the input and may process the parameter without further validation.

Man In The Middle

Here, a hacker intercepts genuine communication between an application and the system, to steal valuable or sensitive data. The hacker may also amend the communication, replacing or adding data, or may capture a valid transaction to modify and replay in the future. Hackers may identify themselves to the other party or they may operate invisibly, but in all cases, they break into the communication by finding a weakness in the signing or encryption of the messaging. This may be the result of bad implementation practice, perhaps by failing to use encryption, or of not configuring it correctly.


The concept of User Account Control (UAC) has been in use since the early days of computing and is present in today’s browser and web-based apps. API’s implement an additional concept of application identity; a secret key is used to identify the calling application to the API. An identity attack tries to exploit a weakness in the authorisation or authentication code based on this key. The key is typically buried somewhere in the code of a genuine calling application. Hackers can find and exploit these keys.


API Security – Mitigation Strategies

The security strategy takes shape by considering how to best protect against these attack vectors.

Parameter Validation

We protect against parameter attacks by thoroughly validating all parameters supplied in API calls using a specific schema. This will ensure that the data is of the correct type and range and where appropriate conforms to a “whitelist” of allowed values, defined in a regular expression. A validation schema can be generated as part of the design process, but this may be too generic and fail to catch rogue data. It should be replaced or extended so as to fully implement the validation rules defined for the parameter. Both JSON and XML schemas allow for robust data validation as part of their schema description languages. The use of either of these methods will result in parameter inputs that have been fully sanitised.

Protect Against Specific Threats

The API strategy should proactively check for and mitigate common attack vectors:

  • Scan for common threats, such as SQL injection, by checking for patterns in the incoming data
  • Configure the network infrastructure to identify and avoid DoS attacks
  • Detect excessively large or complex messages and data structures
  • Apply rigorous virus protection to encoded data, using a high-grade scanner. Do not save encoded data to the file system until it has been thoroughly validated.

Implement Authentication & Authorisation, Separately

Authentication is the process of confirming the identity of an end-user or the application making the API call. Authorisation is the subsequent step of granting access to the system or to execute a function. Former web developers will need to adopt an API mind-set that treats the two concepts separately. Factual data should be used, such as the caller’s IP address range, the unique identifier for a device, the end user’s location and an allotted time-window. OAuth is increasingly being used for API authorisation, based on the end-users identity. OAuth has well-designed implementation patterns for its libraries; these are ideal for inexperienced developers.

Encrypt Communications

Secure Sockets Layer (SSL) or its successor Transport Layer Security (TLS) should be implemented in all communications. The HTTPS: URL prefix and its padlock symbol are familiar in web browsers, but encryption needs to be applied in all circumstances where an attacker could infiltrate the traffic. Encryption protects against man in the middle attacks by establishing trust between the two end points and ensuring that the data is only meaningful to them. It also protects access tokens such as those provided by OAuth, giving users application access without sharing their passwords.

Apply Established Best Practice

A common flaw in API development is the Not Invented Here (NIH) mind-set. An individual developer, or even an Agile team, may see kudos in designing and implementing a unique and novel solution. This often results in an API that has weak security and is difficult to maintain. API security frameworks and the open standards that underpin them have evolved to a high state of maturity. Separation of concerns is also well understood, from patterns such as MVVM. The API should be separated into security and implementation concerns. A security specialist can manage Data Persistence Security, while developers concentrate on building an object based API that delivers functionality and integration.

Design The Test Strategy As Early As Possible

Designing and implementing an automated test suite will verify the API, for both functional and security requirements. Tests should be incorporated in the continuous build process so they run at each revision. API fuzzing can be used to invoke the API with unexpected or invalid data. This technique is ideal for regression testing, stressing the API with random variations of data. Fuzzing can be designed manually, or by using a tool such as DeepState.

Successful API strategy

By separating the concerns of security and implementation, APIs can be developed that are commercially successful and developer-friendly, but also bulletproof. As security specialists, we can ensure that an API strategy follows best practice and mitigates common threat vectors. Developers can focus on implementing an API that fulfils commercial, functional and productivity requirements.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.