Best Practices and Recommendations for API Security

Security is everyone’s business. APIs touch backend services, databases, IAM, and all this infrastructure needs to be secured appropriately. API security starts at the transport level, using SSL (HTTPS) and enforcing up-to-date TLS versions. When it comes to the API layer, you can find best practices and recommendations for creating a secure API in our article.

Do APIs need to be PCI compliant?

If your APIs carry any information regarding payment cards, you and the technical partners must support these APIs to meet the requirements and be PCI DSS compliant.

See Also: PCI Web Application Security Requirements

APIs have become the primary target of attackers as they are in the nature to provide direct access to sensitive data. PCI DSS compliance is required for every company that accepts credit or debit card payments by processing or storing card data.

What is API security?

API security is the preservation of the integrity of the APIs you own and use. APIs, like systems and applications, is one of the most popular ways microservices and containers communicate. As integration and interconnection become more critical, so does the security of APIs.

Why is API security important?

Businesses use APIs to connect services and transfer data. They disclose sensitive data for public consumption. However, not all data are created alike, and not all data should be protected equally. Significant data breaches are caused by APIs that are broken, exposed, or hacked.

The type of data being exchanged will determine how you approach API security. If your API connects to a third-party application, it’s essential to understand how that application redirects the information to the internet.

What is Web API security? Our REST API security and SOAP API security different?

Web API security is about data transfer via internet-connected APIs. OAuth is the open standard for access authorization. It allows users to grant third-party access to web resources without having to share passwords.

REST (Representational State Transfer) or SOAP (Simple Object Access Protocol) are the most common API implementations (Simple Object Access Protocol).

HTTP and Transport Layer Security (TLS) encryption are supported by REST APIs. TLS is an internet security standard that ensures that data exchanged between two systems (server and server or server and client) is encrypted and unmodified.

See Also: What Are the Impact Analysis Requirements for PCI DSS Compliance

TLS encryption means that a hacker trying to disclose your credit card information from a shopping website cannot read or change your data. You can tell that TLS protects a website if the URL starts with “HTTPS” (Secure Hypertext Transfer Protocol).

JavaScript Object Notation (JSON), a file format that simplifies data transfer via web browsers, is also used by REST APIs. REST APIs don’t need to keep or repackage data because they use HTTP and JSON, making them much faster than SOAP APIs.

See Also: What Does PCI Compliant Software Development Mean for Developers

Web Services Security is a built-in protocol used by SOAP APIs. These protocols lay out a set of guidelines based on security and authentication. The Organization for the Development of Structured Information Standards (OASIS) and the World Wide Web Consortium have SOAP APIs that support their respective standards (W3C).

See Also: How to Perform Code Reviews for PCI Requirements

To verify authentication and authorization, they employ a combination of XML encryption, XML signatures, and SAML tokens. SOAP APIs are commended for having more robust security features, but they also require more management. SOAP APIs are suggested for enterprises that handle sensitive data for these reasons.

How should API management and security be?

API security often depends on good API management. Many API management platforms support the following three types of security schemes:

  • It can use a single token string as an API key, a small hardware device that gives unique authentication data.
  • Basic Authentication (APP ID / APP Key), a two token string solution.
  • OpenID Connect is a simple identity layer built on top of the famous OAuth framework, authenticating users by collecting basic profile information and using a server.

When you choose an API manager, it’s helpful to know which and how many of these security plans they can handle and plan for how you can incorporate API security practices.

Essential best practices and recommendations for API security

Companies quickly offered their data to their ecosystems via SOAP or REST APIs as demand for data-centric projects grew. APIs are gateways to a company’s closely guarded data and therefore bring security threats.

You can consider the following API security recommended practices to avoid security risks and safeguard your APIs:

1. API Encryption

It’s recommended if you use TLS to secure all API conversations. You should use the latest TLS versions to avoid the use of the weakest cipher suites.

2. API Authentication

At the very least, secure your APIs with an API key (asymmetric key) or basic access authentication (user/password) to make it more difficult for hackers to break into your services.

3. API Inventory

As a result of the increased development of new APIs resulting from digital transformation activities, you should examine new APIs for adequate security measures. But you can’t guarantee something you don’t know.

An AI engine will analyze API traffic metadata to discover APIs that are not on the radar of security practitioners. This level of API discovery allows you to minimize blind spots from rogue APIs.

In this manner, as new APIs are identified, they can all be subjected to the same API security checklist. The same API traffic metadata analysis that enables API discovery may be used to detect threats.

4. OAuth and OpenID Connection

OAuth is a magic mechanism that prevents you from having to remember many passwords. Instead of creating an account on each website, you can connect via another provider’s credentials.

The same is true for OAuth APIs. The API provider employs a third-party server to manage entitlements. It instead provides a token issued by the third-party service rather than the consumer credentials. It protects the consumer as they do not disclose their credentials, and since they only receive tokens, the API provider need not care about protecting the authorization data.

For transferring authorizations, OAuth is a frequently used authorization protocol. Using the Open Id Connect standard, you may add an identity layer on top of OAuth 2.0, expanding OAuth 2.0 with identity tokens to further protect and authenticate your APIs.

5. API Access Control

You can build access control rules that determine which identities, group memberships, identity traits, and responsibilities are required to access specific API resources by using standards such as OAuth and JWT to authenticate API traffic.

If your API operations across multiple network boundaries, you can apply Zero Trust security policies and propagate the identity to let each layer make its own decisions. Application security can also take advantage of these propagating identities.

Additional access control best practices for APIs include:

  • Provides convenient mapping between token formats when crossing borders, such as an opaque token on the open side and a signed token on the private side.
  • It ensures that authorization rules are applied in each API silo.
  • Provides the ability to enable access control rules for third-party applications acting on behalf of users and control the scope granted for each application.
  • Access control allows defining and enforcing user privacy preferences and general data management.

6. API Threat Detection

Combine real-time and out-of-band threat detection. Real-time threat detection includes an API gateway, a WAF, or an agent that enforces a set of validation rules. Every API request and response is subject to this rule set and is only allowed if rules are passed. The stricter these rules are, the harder it is for attackers to abuse your API.

Specifically, create the following rules in API threat detection systems:

  • Look for threat detection based on signatures, such as SQL injections.
  • Using JSON schemas and JSON pathways, validate incoming messages against API specification agreement.

7. Audit and Logs

In case of errors in your APIs, you need to be ready to troubleshoot. It is essential to audit and log relevant information on the server and keep this history for as long as capacity is reasonable for your production servers.

In case of any event, you should convert your logs into sources for debugging. Also, monitoring dashboards are a highly recommended tool for monitoring your API consumption.

Remember to add the version to all APIs, preferably in the API’s path, serve several APIs from different versions running simultaneously, and have one version deprecated and depreciated over the other.

8. API Monitoring and Analysis

Monitor your API traffic from the inside. Feed API traffic metadata to a central AI engine and correlate ID from API traffic. You should separate traffic across the API per user, per IP, per token, and API.

Integrate your API monitoring and threat detection into your existing security information and event management (SIEM) systems. Periodically review detected anomalies and fine-tune models as needed.

You can better understand what’s going on with your APIs, including whether you’re having an attack or a malfunction if you have visibility into your API traffic at all times and broken down by any factor.

9. Share As Little As Possible

Show as little information as possible in your answers, especially error messages. Lock email subjects and content to non-customizable predefined messages. Since IP addresses can give locations, keep them to yourself.

If possible, use IP Whitelist and IP Blacklist to restrict access to your resources. Limit the number of admins, split access into different roles, and hide sensitive information across all your interfaces.

10. Enforce rate limits to protect your API backends

There is a limit to the real-time security layers applied in sequential mode before latency is adversely affected. Out-of-band analysis of API traffic must be offloaded to a dedicated AI engine separated from the API traffic path.

Capture API traffic metadata from this AI engine to build ML models for each API and track error rates, API sequences, API grouping between tokens, API key, IP address, and cookie.

11. System Protection with Restrictions and Quotas

Depending on the capacity of your servers, you should limit access to your system to a limited number of messages per second to conserve your backend system bandwidth.

You should also restrict access by the API and the user or application to ensure that no one will abuse the system or, specifically, any API.

When throttling limits and quotas are well set, it is essential to prevent attacks from different sources such as DDOS from flooding your system with multiple requests.

12. Data Validation

You should check everything your server accepts. Be careful to reject embedded content, extensive data, and always check the content consumers send you. Use JSON or XML schema validation to avoid any SQL injection or XML bombs and check if your parameters are as they should be.

13. Infrastructure Security

A good API needs to have a good safety net, infrastructure, and up-to-date software to be robust and always benefit from the latest security fixes. That’s why it’s essential to keep all your infrastructure up-to-date.

14. API Security Test

Constantly test security and take an intimate look at your APIs. Design test cases that bypass client-side implementation, as an attacker would do when attacking your API.

See Also: Source Code Analysis for PCI DSS Application Security

See whether you can cause the API to return data that the requester shouldn’t have by calling it in ways that the app doesn’t allow.

15. OWASP top 10

The OWASP (Open Web Application Security Project) top 10 lists the ten worst vulnerabilities, sorted by their exploitability and impact. Be sure to secure all OWASP vulnerabilities to review your system.

16. API Firewall

Many issues can be solved by using an API firewall. The security of your API should be divided into two layers: DMZ and LAN.

The first tier, the DMZ, has an API firewall that executes basic security techniques such as message size control, SQL injections, and any HTTP layer security, blocking attackers early.

The communication should then be forwarded to the second layer. The LAN, which has improved security procedures over the data content, is the second layer.

17. API Gateway (API Management)

The implementation and maintenance of all the above mechanisms are lengthy. To save money, time, and resources, you can choose a mature and performing API Management solution with all these options.

An API Gateway helps you secure, control, and monitor your traffic. The API Management solution helps you effortlessly secure your APIs and make sense of your API data and make technical and commercial decisions.

18. Incident Response

Detecting and halting a breach is simply one component of a security incident’s response. You can build forensic reports for a given token, API key, user ID, or IP address by storing extensive information about historical API traffic.

Do forensic reporting to get a complete picture of the activity that occurred during an incident. Reporting facilitates PCI compliance and investigations and can help you repair the damage before a violation is automatically detected and prevented.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Related posts

Latest posts

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!