API Security

Fundamentals

Your Handy Guide to Building

a Secure System

practical-devsecops.com
CONTENTS

01 Laying the foundations for API Security

02 Identifying common API security threats and

vulnerabilities

03 Implementing authentication and authorization

mechanisms

04 Encrypting sensitive data in transit and at rest

05 Using threat modeling and penetration testing

to identify potential vulnerabilities

06 Setting up and maintaining a secure infrastructure

07 Keeping your API security practices up-to-date

with new developments and best practices
 Chapter 1
Laying the Foundation for API Security

APIs play a crucial role in modern software development, facilitating

the integration of disparate and distributed systems, applications, and
services. However, as APIs serve as a critical component of modern
technology, they are also vulnerable to cyber-attacks. To minimize the
risk of security breaches and protect the data and functionality of APIs,
it is imperative to implement robust security measures.

Some of the major steps you should follow to lay a strong foundation
for API security are as follows:

1. Understanding Business Requirements

• Determine the security controls necessary to protect the data
and functionality of the API
• Understand the intended use cases of the API

2. Identifying Assets
• Identify data, systems, and services that the API will interact with
• Identify the assets that the API will interact with

3. Assessing Risk
▪ Identify potential threats and vulnerabilities
▪ Types of attacks that could be used to exploit the API
▪ The potential impact of a successful attack

4. Implementing Security Controls

▪ Mitigate identified risks
▪ Authentication and authorization mechanisms
▪ Encryption of sensitive data in transit and at rest
▪ Logging and monitoring to detect and respond to security
incidents

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 1
Laying the Foundation for API Security

5. Testing and Validating

▪ Ensure security controls are working as intended
▪ Ensure security controls are effective in mitigating identified
risks
▪ Perform penetration testing, vulnerability scanning, and security
audits

6. Maintaining and Updating

▪ Regularly update security controls
▪ Stay up-to-date with the latest security best practices
▪ Ensure continued effectiveness in protecting APIs

7. Incident Response Plan

▪ Develop an incident response plan to handle security breaches
▪ Define a well-defined process to follow when a security incident
occurs

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 2
Identifying Common API Security Threats And Vulnerabilities

APIs are susceptible to various forms of threats and vulnerabilities,

which can compromise their data and functionality. Some of the most
common types of API attacks stem from the following sources:

• Injection Attacks: The injection of malicious code or data into an API

can result in unauthorized access to sensitive data or business
functionality.
• Broken Authentication and Session Management: Poor
authentication and session management mechanisms open up
opportunities for attackers to bypass security controls and gain
unauthorized access to API data and functionality.

INJECTION ATTACKS

4 2
User

1
5

The Hacker Server

token access
https://vulnerable-oauth-service.com/aut
horization?client_id=innocent&redirect_u
Authenticated ri=evil-user.net&response_type=token...

ATTACKS BY EXPLOITING OAUTH

User

1. An attacker introduces malicious code into a server

2. A victim accesses the compromised server and gives input
3. Server returns page code with injected script
4. Victims browser executes script and sends session cookies to attacker
5. Attacker hijack the user session

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 2
Identifying Common API Security Threats And Vulnerabilities

• Insufficient Security Controls: Lack of proper encryption or access

controls can increase the risk of security breaches and hijacking of
systems.
• Misconfigured Systems: If the systems hosting the APIs are not
properly configured, they can be vulnerable to attacks and may
exploit known weaknesses in their infrastructure.
• Malicious Insider: Those responsible for maintaining the API and its
underlying systems may also pose a threat by altering sensitive data
or disrupting the system with malicious intent.

To proactively reduce the risk of such attacks, it is important to have

a thorough understanding of the types of attacks that can target an
API, and assess their potential impact. This will aid in the
implementation of appropriate security controls to keep the APIs
secure. Keeping up-to-date with the latest security breaches and
regularly conducting security assessments to identify and remediate
vulnerabilities is also crucial.

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 3
Implementing Authentication and Authorization Mechanism

The security of an API depends significantly on the robustness of its

authentication and authorization mechanisms. Authentication
verifies the identity of a user or a system requesting access to the
API, while authorization determines if an authenticated user is
allowed to perform specific actions or access protected resources.

• Use industry-standard authentication methods: To ensure an

API is secure, it is crucial to implement industry-standard
authentication and authorization frameworks such as Open ID
Connect, and OAuth.

AOuth Authentication Method Example

1
4 User

2
5

Facebook Authenticated Website

1. User opens the website and click share photos from Facebook
2. The website redirects to Facebook
3. Facebook propts user to authorize photo share
4. User agrees
5. Send access token to website and website uses this token to
access facebook photos

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 3
Implementing authentication and authorization mechanism

Open ID Connect Authentication Framework

User wants to Sign in to Adobe

using Google Sign in

User
1

2 3 Authenticated

1. User selects Sign in with Google option to access Adobe

2. Adobe redirects to Google Sign in page
3. Google Authorization End Point checks Google Sign in credentials
and sends token to Adobe to trust the user and authorize sign in

JSON Web Tokens

3 Authenticated
User login to
the website

User
1

Website

1. The website validates credentials and sends token to users browser

2. Browser store JWT token in cookies or local storage
3. JWT tokens website next time without having to provide credentials

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 3
Implementing authentication and authorization mechanism

• Implement Multi-Factor Authentication: Implementing

multi-factor authentication further strengthens security by
requiring users to provide multiple forms of authentication, such
as a password and fingerprint, or a one-time code.

• Use Access Control Lists: The use of Access Control Lists (ACLs)
can also enhance API security by strictly defining the resources or
actions that a user is authorized to access.

• Use the Least Privilege Principle: Adhering to the principle of

least privilege, where users are only given the minimum level of
access required to perform a task, also helps to minimize security
risks to a greater extent.

• Implement Logging And Monitoring: Finally, it is imperative to

implement logging and monitoring of API and its underlying
systems’ activities to detect and address vulnerabilities in a timely
manner.

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 4
Encrypting Sensitive Data in Transit and at Rest

Encryption is an indispensable security control to protect API data in

transit and at rest. However, despite the necessary encryption
measures, there may still be threats attempting to intercept or
manipulate data within an API. When implementing encryption for
your API, it is important to consider the following factors:

• Transport Layer Security (TLS): To prevent eavesdropping and

tampering, securing data in transit between the client and API is
crucial. TLS provides encryption for data transmission, safeguarding
the API from potential Man in The Middle attacks.
• Encryption at Rest: To protect sensitive data stored on servers or
storage devices from unauthorized access, encryption at rest is
necessary. This ensures that even in the event of theft or loss of a
storage device, the data remains secure.
• Strong Encryption Algorithms: The use of strong encryption
algorithms such as AES-256 provides better protection against
cryptographic attacks.
• Key Management Best Practices: Regular rotation of encryption
keys in a frequency that makes sense for a business, helps maintain
the security of encrypted data. Rotating keys helps in maintaining the
security of encrypted data, in cases of accidental key thefts.

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 5
Using Threat Modeling and Penetration Testing
to identify Potential Vulnerabilities

Threat modeling and penetration testing are both equally important

techniques for identifying and securing APIs from potential security
flaws, and vulnerabilities. While threat modeling is more of a
proactive approach that identifies and measures the threat
landscape in an API architecture, penetration testing is usually a
reactive approach and therefore identifies and measures the impact
of existing vulnerabilities in an API.

To ensure comprehensive threat protection for your API, it is

important to follow these key practices:

• Structured Threat Modeling Approach: Utilizing a structured

approach, such as the STRIDE methodology to threat modeling can
provide valuable insights into potential threats. Threat modeling
helps to identify and prioritize areas for improvement in terms of
security.
• Regular Penetration Testing: Regular penetration testing is essential
for identifying and assessing the potential impact of possible threats
and vulnerabilities. A combination of manual and automated testing
methods can provide the most comprehensive penetration testing
results.
• Comprehensive Attack Vector Assessment: Those responsible for
API security must have a broad understanding of all potential attack
vectors, including network-based attacks, web application attacks,
and client-side attacks. This helps to ensure that all possible risks are
considered and mitigated.

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 6
Setting Up and Maintaining a Secure Infrastructure

Setting up and maintaining a secure infrastructure that can

efficiently secure APIs, their underlying systems, networks
connected to it, and services assisting is not easy. Here are some of
the best practices you need to consider for setting up and
maintaining a secure infrastructure for your API.

• Use a Secure Hosting Environment: In order to protect your APIs

from unauthorized access, data breaches, or attacks, it is necessary
to ensure the use of safe hosting environments, such as a private
cloud or a virtual private cloud. When a public cloud is used to host
APIs or cloud services are used to host APIs, then appropriate
security measures need to be in place to control access, and to
protect data at rest, and in transit.
• Implement Network Security: For building a secure infrastructure
for APIs, it is necessary to include firewalls, intrusion detection and
prevention systems, and VPNs. Additionally, network segmentation
and ACLs at the network level need to be implemented to limit access
to critical systems.
• Use a Hardened Operating System: APIs and their underlying
systems will be more secure from vulnerabilities if their infrastructure
uses hardened operating systems.
• Keep Systems Up To Date: Do not miss any security updates, or
delay updating a system with security patches. Keeping systems
updated ensures that the underlying operating systems and their
associated libraries are protected against the latest discovered
threats.
• Perform Regular Security Assessments: Performing security checks
and assessments on a regular basis can help identify vulnerabilities
and mitigate threats at the earliest before vulnerabilities are abused.

10

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

 Chapter 7
Keeping Your API Security Practices Up-to-date with
New Developments and Best Practices

API security is an evolving field and it is important to keep API

security practices up to date with new technology, developments,
and best practices. Staying informed about new threats,
vulnerabilities, attack techniques as well as security controls is
crucial to stay up to date.

• Stay Informed About New Threats And Vulnerabilities: One way to

stay informed about new threats is by participating in security
communities and forums, where you can exchange information and
insights with others in the field of APIs or Security. Additionally, it's
crucial to pay close attention to security alerts and advisories from
programming frameworks, and infrastructure providers, which can
provide important information about new risks and how to address
them.
• Use Industry Standards And Best Practices: Use best practices and
industry standards like OWASP Top 10, NIST Cybersecurity
Framework, and ISO 27001, when designing and implementing your
API security practices.

11

www.practical-devsecops.com @pdevsecops @pdevsecops Practical DevSecOps

Become a Certified API Security Professional

LEARN MORE

© 2023 Hysn Technologies Inc, All rights reserved