Previous
How To Safeguide Your PCI DSS
Invalid Name
Invalid Email
Invalid Phone Number
This can't be empty
Sept 25 2021
An API key or application programming interface key is a code that gets passed in by computer applications. The program or application then calls the API or application programming interface to identify its user, developer, or calling program to a website. Application programming keys are normally used to assist in tracking and controlling how the interface is being utilized. Often, it does this to prevent abuse or malicious use of the API in question. An API key can act as a secret authentication token as well as a unique identifier.
When and Why to Use API Keys
API keys are used with projects, while authentication is designated for the users. Cloud Endpoints will, in many cases, handle both the authentication procedures as well as the API keys. The differentiating factor between the two is: Authentication tokens are used to identify the users, i.e., the person who is using that particular website or application. API keys are used to identifying the project making the call. This can either be the website or the application that is making the call to the application programming interface.
It is easy to become dismayed by the range of potential attacks against APIs. Since every API is unique, each instance carries unique risk based on its underlying implementation. This would seem to make API security impossible. Fortunately, though, most individual attacks against APIs fall into one of three broad categories:
1. Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP headers and/or post content.
2. Identity attacks exploit flaws in authentication, authorization, and session tracking. In particular, many of these result in bad practices from the Web migrating into API development.
3. Man-in-the-middle attacks intercept legitimate transactions and exploit unsigned and/or unencrypted data. They can reveal confidential information (such as personal data), alter a transaction in flight, or even replay legitimate transactions.
By understanding these broad categories, we can begin to design an effective mitigation strategy against API attacks. An effective API security strategy should even guard against unforeseen future attack vectors. Each of the three attack categories is described in detail below.
Parameter risks
The classic parameter attack, as already observed, is SQL injection. Parameters designed to load legitimate input into a database query can often be manipulated to radically change the intent of an underlying SQL template. Script insertion exploits systems that ultimately interpret submitted content as a script. The classic example is a snippet of JavaScript submitted into a posting on a Web forum. If this is not intercepted on the way in (and fortunately, virtually all forums now do detect such attacks), any subsequent user reading the post will have the script execute in their browser, potentially hijacking session tokens or other important information. But script injection can also take place server-side, where poorly-designed applications evaluate user-submitted data and respond to encapsulated script. Bounds or buffer overflow attacks are also parameter risks. These attacks attempt to exploit a system by providing its data outside of the expected range or type, which can lead to system crashes, or offer access to memory space. This is the classic attack against C programs that were so popular in the 1990s but still exists today.
Identity and session risks
Hackers have long used forged or stolen credentials to exploit applications on the Internet. In this respect, APIs simply provide another avenue to apply the same attacks. But APIs also open unique attack vectors leveraging identity. A number of these attacks exploit common bad practices originating in the Web app development community. As Web developers move into API development, they often bring bad habits from the conventional Web. Other attacks result from widespread confusion about how APIs differ from traditional Web app development.
Many applications publishing APIs require clients to use an API key to access to their functionality. The name API key, however, is a bit of a misnomer, as it implies that the key is unique to one particular API. In fact, an API key is associated with a client-side application and may be applied across the entire range of different API calls an app might perform. Typically, the API key is an opaque identifier issued to a developer and embedded within their application. Thus, it identifies a particular application but not a particular instance of an application, as this key is common to every copy of the app.
Man-in-the-middle risks
APIs are subject to increased risk from man-in-the-middle attacks when the transmission is not encrypted or signed or when there is a problem setting up a secure session. If an API does not properly use SSL/TLS, all requests and responses between a client and the API server can potentially be compromised. Transmissions may be altered in transit or replayed, and confidential data such as personally identifiable information, session identifiers, etc. may be captured. Even those APIs that use SSL/TLS are at risk if this is improperly configured on the server-side, if the server is subject to downgrade attacks on ciphers or if the client is not properly validating the secure session (such as full certificate validation, following trust chains, the trust of compromised or suspect CAs, etc.)
Some of this risk is the result of persistent cultural issues. In the Web app world, SSL is usually only engaged on a handful of “important” transactions, such as credit card or password submission. Certainly, these data need protection but so do the session keys that accompany other run-of-the-mill transactions following an initial sign-on. Tools such as Firesheep, which easily intercept cookies in unencrypted Web transmissions, dramatically illustrate the risks associated with this approach.
The best practice for API security architecture is to separate out API implementation and API security into distinct tiers. These separate tiers emphasize that API design and API security are essentially different roles requiring different expertise. This is a very logical separation of concerns, one that focuses expertise on the right problem at the right time. Under this model, an API developer can focus completely on the application domain, ensuring that each API is well designed and promotes integration between different apps. This releases the developer from responsibility for securing the published API, as this will be performed by dedicated API security professional. The API security expert is responsible for applying security policy consistently across the organization. Their focus is on identity, threats, and data security-in other words, each of the issues and threats highlighted in this paper.
It is vitally important to give anyone performing this critical role the right tools for the job, as they will need to separate out security from the actual API implementation.CA API Gateway is the right tool. This is a hardened appliance, which is provided in either a physical or virtual form factor and is generally deployed in an organization’s DMZ, as shown in Figure B below. It is the secure proxy between the internal application and the outside Internet.
With us, you can strengthen the security system of your organization and add financial value to the business.
Very urgent? Call us at +1 657-221-1565
Invalid Name
Invalid Email
Invalid Phone Number
This can't be empty
With us, you can strengthen the security system of your organization and add financial value to the business.
Very urgent? Call us at +1 657-221-1565
Invalid Name
Invalid Email
Invalid Phone Number
This can't be empty