3 Strategies for More Secure APIs

What is an API?

August 24, 2020

At its most basic an API or application programming interface is a set of functions that connects different software or systems. An API helps keep things simple for the user by allowing them to perform complex functions without needing to understand the complexities behind those processes. For example, a user might open a program and click a button that says, “Display Today’s Weather”. An API would then be activated to aggregate and display the data from a third party. The user doesn’t need to know how the API finds the data, how it distinguishes the different categories, or how it plugs them into the graphical user interface for display. We encounter APIs in many of the programs and applications we use. From baking institutions and shopping sits to streaming services and social media APIs are hard at work delivering ease of use to the customer.

APIs are essentially hidden pathways between applications. They shield the user from complexity and make multi-step tasks as simple as pressing a button. This begs the question, “If APIs are consistently at work behind the scenes in the programs and web applications I’m using, how do I know they are secure?” Indeed, API security is an incredibly important part of designing these systems. This is especially true because APIs are often used for quick logins, financial transactions, and other interactions that use sensitive, personal data.  Without strong protections, APIs are highly vulnerable to hacking and can lead to data loss, identity theft, or worse.

Common API Vulnerabilities

Distributed Denial of Service (DDoS)– Hackers send large volumes of fake API requests slowing down legitimate requests
 
Code Injection– A hacker sends a piece of code instead of a valid request that gets executed on the server
 
CSRF Attack– In a cross-site request forgery attack (CSRF) a hacker takes actions (like changing information or transferring money) within the authenticated site without the user’s knowledge
 
XSS– Cross-site Scripting attacks involve sending malicious code through an otherwise harmless site to another end user

Security First

The first, and best way to protect APIs is to make security a priority. It goes without saying that putting security first when designing APIs is more effective than trying to patch up problems after the fact. APIs are one of the biggest vulnerabilities when it comes to data loss or theft, and so security should be integral to your system architecture. Likewise, continuing education on new threats is essential. Whether you have your own dev team or relying on a provider like DOMA, it’s vital that security training is a priority.

Minimize Access

Nearly every application uses an API and some applications may use thousands. There are three types of API access – private, shared (between specific partners), and public. Public APIs can be used by third parties and pose the greatest risk. With this in mind whenever possible, it’s best to use private or at least shared APIs. Whitelisting approved IPs and devices and blacklisting threats is another useful way to control and track access to your data.

Secure API Gateways

API gateways are an important part of API design and can be used to manage access, route to an internal API, monitor the API, and more. An API gateway can validate access through authorization mechanisms like OAuth/OpenIDConnect. Gateways can be further protected by defining permissible input validations. These validations can be things likes message length and threat protection from SQL injection, JSON attacks, and XML threats. Ultimately, the key to securing a gateway is ensuring that calls to the API are legitimate. All of these gateway projections are designed to identify and block malicious attacks or calls to the API.

APIs are a key part of how modern systems operate, but they are inherently insecure. Without the added layer of API security, they are a prime target for hackers. Skillful management and development can go a long way in mitigating those risks.

How does DOMA use APIs?

APIs are a key part of how DOMA’s DX Software operates. These integrations make our application easy to use and add robust functionality. All API calls are authenticated by requiring a security token generated by OAuth and your DX credentials. Additionally, all access to the DX site and consequentially all API calls are tracked and monitored. Our team takes the security of information very seriously and is continuously improving our protocols to protect against new threats.

About DOMA- Powered by Tech, Driven by People

DOMA Technologies (DOMA) is a software development and digital transformation company whose mission is to change customer lives by lightening their workload through faster and more targeted access to their data. Since 2000, our team of 200+ experts has helped businesses navigate all aspects of the digital world. We are a dedicated strategic partner for the federal government and private sector clients at every stage of their unique digital transformation journey.

Director of Communication

Author:

Danielle Wethington
Director of Communications