API security and its functionality

Author: Ping Identity

As the world around us becomes more and more connected with the internet connection, the need to build secure networks grows infinitely. API Security continues to be an integral part of business strategy, and it doesn’t appear to be slowing down any soon. Security is an essential element of any application, especially in regards of API where you have hundreds of applications making calls daily. Every day, new threats and vulnerabilities are created, and everyday companies find themselves racing against the clock to patch them. It’s crucial to protect APIs from attacks. Thankfully, while an API manager doesn’t eliminate all threats, it can help protect some of the common ones. Moreover, when used as a proxy, it can prevent malicious attacks from hitting your architecture.

OAuth is the most common type of API Security. Unlike basic authorization, OAuth does not allow API client from accessing the users’ information. Instead, it relays the user to a page on the destination server where they can enter their credentials and then returns to the API client an access token for that user. Always make sure to authenticate the web server first before authorizing it. Authentication is used to reliably determine the identity of the user while Authorization is used to determine what resources the identified user has access to.

Method of authentication and authorization:

i. Static string: The API caller or client embeds a string as a token in the request. This method is often referred to as the basic one. It is not very satisfactory, as it means sending the password over the network in clear text for every single page accessed thus becoming vulnerable to any packet sniffer.

ii. Dynamic string: When API is protected with dynamic string, there is a time-based nonce inserted into the token. The token has a time to live after which the user has to get a new one. This is why it provides better protection to the APIs.

iii. User delegated: This type of token is used in three-legged systems where an application needs to access an API on behalf of a user. Instead of revealing user id and password to the application, a user grants a token which encapsulates user permission for the application to invoke the API.

Four pillars of API Security:

  1. Strong SSL: One can rapidly protect API by enabling SSL and changing http to https.
  2. Robust identity: Any API of commercial value will typically identify the client at a minimum issuing a developer id or app id that the client has to embed in each API invocation.
  3. Valid API content: API typically has a request-response structure. Input is sent to the URL parameters or in the body of the request to the API endpoint, the business process engine executed the functionality based on the input and responded with XML and JSON.
  4. Consistent security architecture: Choosing the right architecture for enforcing API security is an important step. Most companies, regardless of their size now rely on multiple API vendors for critical business needs including CRM, inventory management, financial services, and HR.