API Security Hygiene: Floss and Brush Daily
October is an important month for security practitioners. It’s National Cyber Security Awareness Month, but it also happens to be National Dental Hygiene Month. October reminds us not only that safeguarding digital assets is everyone's business, but also of the security hygiene that we need to practice on a daily basis.
How does security hygiene manifest itself in the API-centric world? What kind of flossing and brushing should be part of your API security routine?
The answer depends on the role you play in protecting digital assets in the API value chain. First let's review the roles of API protectors within an API value chain:
• The app developer is responsible for creating apps (web, mobile, desktop) consumed by end users.
• The API developer creates and exposes APIs that are consumed by apps.
• The business user is responsible for business impact and overall governance, sponsors digital transformation in the organization, and consumes analytics data to gain insights into the API program and platform.
• The IT manager ensures API services availability and security, and manages IT governance.
The API value chain and the API protector roles
There’s a baseline level of security hygiene applicable to all of these roles, including:
• Role Base Access Control (RBAC) for all users - Every user should be provisioned with the least privilege (permissions) required to accomplish the role. This ensures the protection of data and API management functionality from user errors and malicious behavior.
• Rigid password policy compliance - Strong passwords should be used for accessing tools such as developer portals and management consoles; passwords should also be changed periodically. Most organizations follow a 90-day password change policy to protect users and organization from password theft.
• Fine granular keys - Application keys provisioned to the developers should follow the least-privilege model to minimize unnecessary exposure of API services to apps. For example, if an application doesn’t need to update a user profile, the key associated with the application must not have the privilege to invoke an API that performs a profile update. Furthermore, every app should be provisioned with a unique key to limit damage from key exposure.
There’s a certain amount of additional security hygiene expected from each of the roles supporting the API value chain.
On the app developer front, API key theft is one of the major threats that organizations face today. In addition to user-level authentication, apps authenticate to the APIs using a key and a key secret, which is typically embedded in the app. Any exposure of the app key can potentially result in unauthorized access of data (via published APIs) by malicious users and bots. So app keys should be rotated periodically to mitigate any risk to organizations by way of key theft. Note that key rotation involving mobile, web, and desktop apps will require additional steps, such as updating the app with the new key while supporting the existing application with an older key.
API developers periodically need to review the API products exposed to app developers and ensure that the APIs exposed to internal users, partners, and external users are provisioned with the right API access control. An example would be the use of the OAuth grant type within APIs, and OAuth scope to protect APIs.
Business users should review the requirements of data protection standards and factor in any new privacy and compliance requirements for the data delivered via APIs. For example, personally identifiable information (PII) data delivered via APIs may have cross-border protection requirements. It’s important to verify that consumer data is being collected with user consent and to ensure governance of the PII and sensitive data.
IT managers should periodically review the API audit logs to detect any suspicious activities. This can be automated by feeding the audit logs into security information and event management (SIEM) tools such as our predictive analytics platform Apigee Insights, or Splunk and Sumo Logic. These tools, when configured with appropriate anomaly rules, can detect unusual API access patterns or management activities and alert the security operations staff.
Good security hygiene prepares organizations to fend off new threats and avoid a painful “root canal” type exercise to respond to the next Heartbleed or Shellshock event. Take a moment to review and improve your security practices so no one gets spooked (this month does end with Halloween, by the way) by any security incident that could have been prevented by meticulous hygiene.
image: Simon Cocks/Flickr