Application programming interfaces, or APIs, are an essential part of today’s online infrastructure. These platforms carry out processes that make it easier for software elements to communicate with each other, opening the door to a wide range of practical yet innovative applications. As one example, APIs are making it possible for traditional financial processing systems to operate online by granting customers open access to banking information – something the system designers hadn’t necessarily originally planned for.
But where APIs have the potential for innovation and simplifying processes, they are also capable of inviting disaster. The interoperable elements that make APIs so appealing can also allow hackers and malware easy access to sensitive information. The financial industry example mentioned above is one particularly dangerous scenario if the proper security measures are not taken.
Which brings us to the core problem: security experts have been warning designers and programmers for years that API security wasn’t getting the attention it deserved. In one particularly frightening example, a US Postal Service researcher discovered an API security vulnerability that potentially exposed the personal details of 60 million accounts to the public. This feature was intended to allow businesses and marketers access to real-time tracking data for mail campaigns, but inadvertently allowed anyone with a usps.com account to access private data.
That flaw alone was concerning enough, but when the researcher forwarded his findings to USPS, no API fixes were immediately forthcoming. It wasn’t until the researcher anonymously contacted Krebson Security that the Postal Service finally took action and patched the vulnerability.
The good news is that API vulnerabilities such as these are relatively easy to address – if designers and organizations are motivated to do so. Here are a few important considerations to keep in mind when securing your API:
API security procedures
The most straightforward practice API managers can adopt is taking steps to ensure that their protocols follow the latest security procedures. SSL encryption is the online standard for payments, encoding all information as it’s transmitted between software components and ideally protecting sensitive information against attack by outside parties.
Next, API managers should take steps to make their interfaces PCI compliant. PCI refers to a checklist of common practices that secure your API and the data it transmits. While PCI doesn’t enforce compliance, its security principles are sound for any online business willing to adopt them.
Review common API vulnerabilities
While APIs can vary depending on the industry they serve, many have similar internal processes, and thus – flaws. This means a few basic protections can help prevent even the most egregious security hack.
API managers should periodically conduct research on potential software design flaws, especially if they operate online. Broken authentications, cross-site scripting, and insufficient data logging are all frustratingly common vulnerabilities in web applications. Here is a list of frequent problems designers could miss, each bundled with an easy-to-implement countermeasure.
What exactly is your API designed for?
The vast majority of API security breaches are not hacks conducted by computer science experts in a sophisticated facility. The reality is that APIs are relatively straightforward processes that do exactly what they were designed for – it’s just that all too often, potential trouble spots weren’t sufficiently explored by human managers.
According to one poll, companies manage an average of 363 different APIs, 70% of which are public-facing. The sheer volume of protocols interacting with each other can by itself generates the occasional misstep, not to mention the side effects of public interaction. It’s no wonder unintended vulnerabilities are targets for malicious actors.
Many vulnerabilities can’t be targeted until they’re discovered, so API managers should ask these zoomed-out general questions well before the design stage:
- What information will your API access?
- Who will access it?
- Where might it be unintentionally distributed?
If you can establish the value of sensitive data beforehand and limit the scope of access accordingly, you’ll be better equipped to ask the right design questions before they become problems.
The simple fact is that no API will ever be hackproof, and even a post-launch fix might open the door to some highly advanced future security breach. To minimize such incidents, API managers must show a willingness to address potential problems before they become disasters. The earlier a vulnerability is discovered and addressed, the less likely your business will suffer malicious attacks in the future.