Increasingly, digital transformation and customer expectations are driving organizations to employ creative approaches to serving the needs of a diverse mix of end users and experiences. From telemedicine to online banking, real‑time APIs are the foundation upon which digital business is built, allowing app developers to create apps that can serve the needs of their customers.
With the explosion of apps in the digital world that are served instantly by APIs, the need to rapidly detect and protect API breaches becomes critical.
APIs form the chassis for modern applications. They are everywhere, enabling developers to obtain valuable information from other software components and integrate it into their applications, for example embedding Google Maps in a rideshare app or YouTube videos in a web page. APIs are key components at every stage of a user’s interaction with an app, from logging in to leaving feedback. The rise of 5G, with its promise of high speeds (1 Gbps), is likely to make today’s impatient users even less tolerant of poor app performance. API‑driven businesses that don’t achieve real‑time API responsiveness – which we define as processing an API call end-to-end in under 30ms – are sure to lose digital market, and the loss of revenue might even put their digital transformation efforts at risk.
Like all things created with good intentions, the prominent use of APIs has its downside – it provides bad actors motivated by bad intentions with a new avenue for exploiting applications. Gartner has predicted that by 2022 API abuses will be the most frequent attack vector against enterprise web applications, resulting in data breaches.
Why Is API Security Important?
A combination of factors makes APIs rich targets for security attacks. One of the biggest problems is failure to set appropriate access permissions. Because they are not intended for direct access by users, APIs are often granted access to all data within the application environment. Access is then controlled by granting specific permissions to the users making the initial requests that are translated into API calls, and having the API inherit only those permissions. This works fine until an attacker manages to bypass the user authentication process and access the downstream app directly via the API. Because the API has unrestricted access, the attacker gets visibility into everything.
Like basic HTTP web requests, API calls incorporate URIs, methods, headers, and other parameters. All of these can be abused in an attack. Unfortunately, most typical web attacks, such as injection, credential brute force, parameter tampering, and session snooping work surprisingly well on APIs. To attackers, APIs are an easy target.
How Do You Secure APIs?
It’s vital to build security into an API at every phase of its lifecycle. During the design and development stages, engineers need to build in the logic required for integrating with the WAF, bot protection, API management solution, API gateway, and other tools that will secure the API as it’s delivered in development, testing, and production environments.
You then deploy those technologies to protect the API during delivery, as discussed in the following sections.
A WAF recognizes requests that are in fact illegitimate, designed not to exercise the API’s intended functionality but to exploit vulnerabilities in application code that allow attackers to steal information or execute malicious code. It’s crucial that any WAF protect at minimum against the most common attack types, like the OWASP API Security Top 10.
NGINX App Protect is based on F5’s Advanced WAF product. Optimized for CI/CD and DevOps workflows, it supports XML, JSON, text, and HTML request and response payloads. Its advanced API protection profiles protect against attacks with parsing and structure enforcement, attack signatures, method enforcement, and path enforcement.
HTTP APIs can be subject to bot and other forms of malicious or unwanted automation‑based traffic. Shape, now part of F5, offers API Defense™ as a solution that provides visibility, throttling, and mitigation options to protect HTTP‑based APIs from bots and other forms of automated attacks that generate online fraud and application abuse.
Among other functions, API management solutions provide the interface for defining security policies which the API gateway then applies as it processes API calls.
The NGINX Controller API Management Module [now API Connectivity Manager, part of F5 NGINX Management Suite] includes important protections like implicit URI allowlisting based on the API specification, as well as programmable rate limiting, multiple rate‑limiting policies, and throttling to protect against denial of service attacks.
An API gateway like NGINX Plus secures API calls in its role of guardian responsible for three key functions, discussed in the following sections.
Authentication and Authorization
API authentication is about allowing access only to recognized clients – those that can prove they are who they claim to be.
Because authentication is not core to what an API does, it makes sense to perform it outside the application code. This frees API developers from having to write their own authentication code and means you can centrally manage authentication for all APIs while still making authentication requirements flexible. For example, you might allow unauthenticated use of the API that returns game scores at a sports website, but you definitely need to authenticate the people who use an API to edit the content.
Now let’s look at the difference between authentication and authorization. Authentication is the process of verifying user identity. Authorization is what comes next – determining which actions a particular user is entitled to perform and conveying that information to the server.
Rate limits control how frequently a given client can make an API call. They have two main purposes: protecting backend services from being overloaded and ensuring fair use for clients. An example of rate limiting might be to allow 100 transactions per second during periods of heavy demand. Rate limits can be applied to individual user names, specific IP addresses or ranges, or to all users (for example, during peak traffic times).
Input validation is verifying that input supplied by a user or application is correct: consists of the right type of characters (digits, letters, punctuation), is the right size, is one of a predefined set of acceptable values, is consistent with another value being provided, and so on. For example, you might check that the zip code matches the supplied address, or that a birthdate is not in the future. Input validation prevents improperly formed data from entering an information system and threatening its integrity. It’s also an important way to detect malicious users, who can then be blocked from making further requests.
APIs are a strategic necessity to give your business the agility and speed needed to succeed in today’s business environment. But with the increasing cost of security breaches, organizations want to ensure that exposing their data via APIs does not create security risk which impacts their top line and bottom line.