Neil Madden - API Security in Action MEAP V10

MEAP Edition

Manning Early Access Program

API Security in Action

Version 10

For more information on this and other Manning titles go to

manning.com

This chapter covers

What is an API

What makes an API secure or insecure

Defining security in terms of goals

Identifying threats and vulnerabilities

Mechanisms for achieving security goals

Application Programming Interfaces (APIs) are everywhere. Open your smartphone or tablet and look at the apps you have installed. Almost without exception those apps are talking to one or more remote APIs to download fresh content and messages, poll for notifications, upload your new content, and perform actions on your behalf.

Load your favorite web page with the developer tools open in your browser, and you likely see dozens of API calls happening in the background to render a page that is heavily customized to you as an individual (whether you like it or not). On the server, those API calls may themselves be implemented by many microservices , communicating with each other via internal APIs.

Increasingly, even the everyday items in your home are talking to APIs in the cloudfrom smart speakers like Amazon Echo or Google Home, to fridges, electricity meters, and lightbulbs. The Internet of Things (IoT) is rapidly becoming a reality in both consumer and industrial settings, powered by ever-growing numbers of APIs in the cloud and on the devices themselves.

While the spread of APIs is driving ever more sophisticated applications that enhance and amplify our own abilities, they also bring increased risks. As we become more dependent on APIs for critical tasks in work and play, we become more vulnerable if they are attacked. The more APIs are used, the greater their potential to be attacked. The very property that makes APIs attractive for developers, ease of use, also makes them an easy target for malicious actors. At the same time, new privacy and data protection legislation such as the GDPR in the EU place legal requirements on companies to protect users data, with stiff penalties if data protections are found to be inadequate.

GDPR

The General Data Protection Regulation (GDPR) is a significant piece of EU law that came into force in 2018. The aim of the law is to ensure that EU citizens personal data is not abused and is adequately protected by both technical and organizational controls. This includes security controls that will be covered in this book, as well as privacy techniques such as pseudonymization of names and other personal information (which we will not cover) and requiring explicit consent before collecting or sharing personal data. The law requires companies to report any data breaches within 72 hours and violations of the law can result in fines of up to 20 million or 4% of the worldwide annual turnover of the company. Other jurisdictions are following the lead of the EU and introducing similar privacy and data protection legislation.

This book is about how to secure your APIs against these threats so that you can confidently expose them to the world.

To illustrate some of the concepts of API security, consider an analogy from real life: taking your driving test. This may not seem at first to have very much to do with either APIs or security, but as you will see there are similarities between aspects of this story and key concepts that you will learn in this chapter.

You finish work at 5pm as usual. But today is special. Rather than going home to tend to your carnivorous plant collection and then flopping in front of the TV, you have somewhere else to be. Today you are taking your driving test.

You rush out of your office and across the park to catch a bus to the test center. As you stumble past the queue of people at the hot dog stand, you see your old friend Alice walking her pet alpaca, Horatio.

Hi Alice! you bellow jovially, Hows the miniature recreation of 18th century Paris coming along?

Good! she replies. You should come and see it soon.

She makes the universally recognized hand-gesture for call me and you both hurry on your separate ways.

You arrive at the test center a little hot and bothered from the crowded bus journey. If only you could drive, you think to yourself! After a short wait, the examiner comes out and introduces himself. He asks to see your learners driving license and studies the old photo of you with that bad haircut you thought was pretty cool at the time. After a few seconds of quizzical stares, he eventually accepts that it really is you, and you can begin the test.

Explanation Most APIs need to identify the clients that are interacting with them. As these fictional interactions illustrate, there may be different ways of identifying your API clients that are appropriate in different situations. As with Alice, sometimes there is a long-standing trust relationship based on a history of previous interactions, while in other cases a more formal proof of identity is required, like showing a driving license. The examiner trusts the license because it is issued by a trusted body, and you match the photo on the license. Your API may allow some operations to be performed with only minimal identification of the user but require a higher level of identity assurance for other operations.