An API enables new business opportunities by opening up the IT systems of the enterprise. This not only leads to new opportunities but also to new security risks. Information could be stolen, or internal systems could be compromised. To deal with these risks, the API needs to ensure that consumers are properly authenticated and authorized to access the data via API.
Moreover, the API not only needs to ensure the security of the exposed data, but also the security and availability of the API platform and – to some extent – the security and availability of the backend systems, which are used by the API. The API needs to protect the API platform and the backend systems from overload and attacks.
For API security, it is recommended to follow the widely used protocols
- OAuth 2.0 for delegation and
- OpenID Connect for identity
Each API needs to be analyzed for its needs for protection along the following security concerns.
Authentication determines if a user is really who she claims to be. Usually, both clients and end users need to be authenticated by API providers. Authentication may have different strengths, depending on the authentication mechanism and the authentication processes.
Authorization determines which APIs and data an authenticated user is allowed to access. For example, an authorization rule might state that customers are only allowed to use the profile API, whereas trusted partners are allowed to use the complete API portfolio. Another authorization rule might limit the data which is returned by the API, for example, the users should only see data about their own account and not data about others accounts.
An app would like to access an API to get some data that only the end user is authorized to access. In this scenario, the user needs to delegate her access rights to the app. This could be accomplished if the end user provides her credentials to the third party app. However, this simple delegation pattern is not secure. With the end user’s credentials, the third party app has full access to the end user’s account. The access cannot be limited to certain data or to certain operations. Instead, a secure delegation method needs to be used.
An app would like to obtain profile information about the end user, such as the end user’s name, address, birthday and nationality. This information contains private information and needs to be specially protected. The end user needs to consent to the use of her identity attributes.
APIs are publicly exposed and sooner or later they will face attacks. Typical attacks include SQL injection, XML document structure attacks, certificate attacks, or denial of service attacks. The API itself or an appropriate security component need to put mechanisms in place to prevent these attacks.
The integrity of API Input and Output
If the input and output of the API are critical, the integrity of the data needs to be ensured. There are two cases: (1) Data should not be read by anyone except for the specified receiver. (2) It should be ensured that the data originates from the specified sender it should be noticed if the information has been modified by a third party.