Quick Guide - How to secure APIs.

What is an API?

An API is a set of protocols used for building software applications; it specifies how software components should interact with each other. API’s are tightly linked with IoT because they allow a business to securely expose connected devices to customers and other applications within their IT infrastructure. Because API’s connect important “things,” like cars, internal (legacy) applications, smart grids, medical devices and thermostats, to an ecosystem, it’s critical to deploy API management that is flexible, scalable, and secure.

 API’s provide the ability to glue and integrate services, leaving developers to focus on application interaction instead of the applications themselves. APIs allow developers to build context-based applications that can interact with the physical world, instead of purely through UI. API’s are a key ingredient in the development of open applications and can integrate with other applications and services

API’s can be external services requiring an “API key” for use, or they can be free of public use. With the help of API’s, a single app can utilize software written with multiple programming languages — thanks to a unified architectural style called REST.

APIs Security Testing Methodology

Based on our skill-set and cyber security domain expertise, our methodology revolves around the following main categories of testing:

1. Communication Channel – Encryption at the transport layer is the first step towards ensuring the API’s designed are secure. Lack of encryption could allow an eavesdropper to read and tamper the data a.k.a. conduct man in the middle attacks.
2. Rate Limiting or Throttling – With no throttling in place e.g. for API’s handling authentication, this could result in system overload during the peak traffic hours. Good practice would be enforcing system wide quota so that the resource overload is distributed evenly at the backend.
3. Unhandled HTTP methods - API’s talk over HTTP using several different HTTP verbs for retrieving, saving, deleting data at the backend. At times, some web servers have insecure defaults for unsupported HTTP methods. Verbs that aren’t included explicitly could give access to backend data by default. We assess the API end-point using all the HTTP verbs available and observe the behaviour from the server side. The list also includes arbitrary methods in some cases depending on the web server used to support the API
4. Parameter Tampering – This test helps us understand the exception handling behaviour designed at the backend. This is also the part of end-point fuzzing where special characters are sent as parameter values to notice change in the response from the server side.
5. SOAP / XML supporting API – Legacy API’s still relying on Soap and XML are ripe targets for vulnerabilities like XML encryption, external entity attacks and denial of service (billion laughs) among others. Our fuzzing payload carries checks for SOAP / XML supporting end points to ensure entire attack surface is tested.
6. Business Logic Flaws – By using alternate routes to access the data, our consultants try to bypass the known routes used by the API developers. Alternative routes and calls to obtain data outside their boundaries could exploit the business logic designed within the API.

Key benefits

• Improving Security culture
• Good governance
• Compliance with Standards
• Cost Management
• Customer and partner assurance
• Encourage proactive approach to detect threats
• Catch attacks at the early age
• Fast turnaround times for Cyber Essentials (from 24 hours to a few days for Cyber Essentials Plus)

About Defendza (https://www.defendza.com )

Defendza is a specialist provider offering cyber security consulting, training services and managed security services. We deliver a truly independent third-party opinion, unbiased expertise free from any inclinations towards vendor partnerships, reselling objectives or promoting any security products. We pride ourselves in being a partner of choice for our clients and helping with their IT security and compliance requirements.