Application Programming Interfaces (APIs) are a common solution to the problem of allowing secure access to an organization’s web resources. Many organizations have a web presence where they expose some amount of data or valuable functionality via a website that users can access for either free or a fee. In some cases, users may need the ability to automatically access this functionality via scripts, and APIs make this faster and easier to accomplish at scale.
An important consideration when implementing an API is API security. APIs are designed to let authorized users have easy access to the exposed functionality; however, this functionality may also be valuable to hackers attempting to exfiltrate data or take advantage of this protected functionality.
An important component of API security is protecting the authentication and authorization functionality within the API. An insecure API can expose user credentials which can grant an attacker access to the user’s account on this API and potentially other web resources (in the case of credential reuse). Using tools like OAuth, API developers can decrease the probability of compromise and improve the security of their systems.
The API Authorization Problem
APIs are designed to provide an alternative means of accessing the data held or processed by a program. In the context of web APIs, this allows automated tools to bypass the webpage used by traditional users and perform bulk operations on the system. This alternative mode of operation helps to improve the efficiency of automated tools, but doesn’t remove the need to authenticate to the application.
Many APIs are designed to grant access to protected data or functions. Even if an API doesn’t hold sensitive data, use of the functionality exposed by the API requires resources on the server end. For this reason, most APIs include authentication functions designed to ensure that only authorized parties have access to the protected functionality.
However, API authorization often isn’t a “one size fits all” type of problem. Even if a specific user is allowed to access the functionality exposed by the API, there is no guarantee that they are permitted to access all of it. Without a mechanism for managing access throughout the API, it may be necessary for the user to individually authenticate for each resource. This is where security issues really come into play at both ends. Securing a single authentication mechanism in the API is fairly straightforward, but properly protecting one on every page and resource is more difficult.
On the client end, the primary users of APIs are automated programs, and the need to use the username and password to authenticate at multiple points throughout the program’s execution increases the probability that they will be insecurely stored within the application’s code. As a recent study has demonstrated, developers often don’t consider the risks of embedding credentials in code that will be uploaded to public repositories. The study of 13% of Github’s publicly visible repositories revealed hundreds of thousands of unprotected credentials that could be used to gain access to accounts via web APIs.
Introduction to OAuth
OAuth is designed to be an authorization protocol that manages a user’s access to the functionality exposed by an API. An important distinction is that OAuth is only for authorization, not authentication. Traditional authentication mechanisms (username and password or similar) need to be used to perform the initial authentication of the user to the system, but after that authentication, the user receives an access token that grants access to all the resources that the user is authorized to access.
While OAuth doesn’t solve the authentication problem for APIs, the creation and use of an access token for authorization dramatically decreases the threat surface. By encoding (and securing) the authentication mechanism in the API, developers can ensure that users only have to provide their credentials to the server once for processing. After that, the access token is used, which can’t leak the original credentials and is much less damaging if compromised.
Securing Your API
Web content is some of the most useful and dangerous resources that an organization can use, especially if an API is involved. APIs are designed to expose a large amount of the functionality of an organization’s website and database. This is extremely valuable for “power users” who need rapid, bulk access to the data, but it can also be a major threat to the organization’s security.
Securing a web API is a multi-stage process. The first step is ensuring that only authorized users have legitimate access to the exposed resources. This requires developing a strong authentication solution and using an authorization tool like OAuth to minimize the threat of exposure to the credentials of the user authenticating to the service.
The other half of API security is protecting the system from illegitimate access by unauthorized users. The value of the functionality protected by web APIs makes them an enticing target for hackers. As a result, they are prone to vulnerability scans and exploitation of any discovered weaknesses.
For this reason, deployment of a Web Application Firewall (WAF) is a critical component of protecting a web API. A good WAF has the signature and anomaly detection capabilities necessary for identifying and protecting against attempts to exploit any vulnerabilities present in the API code. This combination of secure design (strong authentication and authorization) and good deployment is essential to good API and data security. An API represents a significant (if valuable) hole in an organization’s defenses, so securing it should always be a priority.