How to Secure Your Precious APIs | Serverless360
← Return To Home

How to Secure Your Precious APIs

This blog is a transcript of the session “How to secure your precious API with API Management” by Mike Budzynski, Program Manager on API Management team at Integrate 2020. 

Introduction

Last year, Gartner published a detailed whitepaper on what you need to do to protect your APIs in which they have predicted that by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019. 

Also, by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications. 

In order to have more understanding and value behind this session, you may need to look deeply on the below picture which explains a few incidents about the API attack and breaches. 

1 – list of attacks

Last year, an incident happened on GitHub Enterprise where one of their APIs allowed to bypass OAuth app authorization.A few things need to be observed in the above incident are:

  • The bug was reported by security researched through bug bounty program 
  • The bug found on the API layer
  • The bug was root caused and fixed in just three hours

Web app vs API security 

Back in 2017, OWASP community listed out the top 10 web application threads which most of the web application was prone to. 

2 – web app vs API security

we know that web application is not only bound to the attack but also APIs do. Here is the top 10 list of API vulnerabilities that OWASP community has arrived back in 2019. 

3 – OWASP API top 10

Azure API Management 

4 – API Management in Azure

APIM instances can be updated or altered using the Management plan which can be accessed from different tools like VS Code extension, Azure portal, PowerShell, ARM templates.  

Observability can be achieved by integrating API with Azure Monitor, Azure application insight and Azure Event Hubs.

Layered defence 

5 – layered defence

The above picture represents a typical flow of an API request. There is a user interacts with the client application/device which eventually make a call to the firewall server and subsequently to the gateway Backend APIs. In return, response goes back to all these services as well.  

The Firewall blocks suspicious requests, gateway forwards valid requests include data for authorization and finally the backend APIs accept requests from a trusted source to perform fine-grained authorization. 

There are some significant number of policies that fall into few categories like security, caching and more. The polices are expressed in form of XML where you can also inject C# code to extend flexibility and meet custom requirements. 

6 – code snippet

Policy scope 

7 – policy scope

Product 

Products are how APIs are surfaced to developers. Products in APIM will have one or more APIs and are configured with a title, description, and terms of use. Products can be Open or Protected. 

API

Each API contains a reference to the back-end service that implements the API, and its operations map to the operations implemented by the back-end service. 

Operation 

Each API represents a set of operations available to developers. Operations in APIs map to the operations implemented by the back-end service. Operations in APIM are highly configurable, with control over URL mapping, query and path parameters, request and response content, and operation response caching. Rate limits, quotas, and IP restriction policies can also be implemented at the API or individual operation level. 

API management to the rescues  

Below is the list of marked threads from OWASP community that APIM can rescue the users 

8 – APIM to the rescue

Improper assets management 

It is not recommended to expose specific backend resources limit HTTP methods on exposed resources deprecated APIs or versions. APIM allows you to manage various versions under the hood. 

9 - assets management in APIM

Security misconfigurations

Security misconfigurations are one the major threat for API. The common ways to prevent is to enforce HTTPS traffic for your APIs or in other words, disable HTTP traffic for your APIs. And manage protocols in cipher and always restrict cross-origin resource sharing.

10 – Security misconfigurations

 DEMO – Disabling HTTP Endpoint

When you normally call your API endpoint in HTTP or in HTTPS it works for both the scenarios. But we need to restrict the HTTP call for our API. In order to do this in the Azure portal move to the API Management section in the Azure portal and select the APIs tab.

11 - DEMO - Disabling HTTP Endpoint

In the APIs tab, in General you can see an URL Scheme. By default, your API will allow both the request (HTTP, HTTPS). Now select the HTTPS option and hit the save button.

12 – HTTPS selection

And now when we try calling our API in HTTP method, it will fail.

DEMO – Managing Ciphers in Azure Portal

In Azure portal move to the API Management section and select the Protocol settings. Here you will have the option to manage some Ciphers in your API. But before enabling any of the cipher beware of the Cipher as some Ciphers are vulnerable.

13 - DEMO - Managing Ciphers in Azure Portal

DEMO – Cross-origin resource sharing

In order to prevent Cross-origin resource sharing, move to API Management in Azure portal and select the APIs tab and from ALL OPERATIONS click on the Add policy button. Now from the list of policies available select the Allow cross-origin resource sharing and in the Allowed headers, Exposed headers put a *(star) which will act as the default value and allows all the values and select the save button.

14 - Allowing cross-origin resource sharing

But one of the drawbacks of this method is that, even the malicious website can access our API. To prevent this, we need to put the precis website link in the Allowed Origins that needs to access our API.

15 - Allowing URL for cross-origin resource sharing

Excessive data exposure

Excessive data exposure is another common threat in the APIs. In this case some of the unwanted data will also be exposed while accessing our API. To prevent the exposure of excessive data you can

  • Filter or mask sensitive data in the response of our API
  • Standardize error messages ahead of time

For example, in a transaction if our Card details are stored in the header of our API then it will be exposed to the websites who request our API.

DEMO – How to prevent Excessive data exposure

Move to the Azure Portal and inside API Management select the respected API and call our API, the response will be in a JSON format and in that there will be a section called Request-Context

16 – Header exposed by default

This should not be exposed to the outside world. So now to prevent it move to the API Management section in the Azure portal and select add policy from the All operation tab. Select the Outbound Processing and add the request-Content parameter and in the action, field choose to delete and save.

17 – hiding the exposed header

Broken Authentication, Authorization

This is one of the most complex topics in the API Management in any organisation. There will be a team building the API and others use it. So, while developing the API most of the requests and parameters are misconfigured. So the following are some secured ways to develop APIs

  • API Keys
  • JWT Tokens
  • Client certificates
  • Custom authN and authZ services
18 – Broken authentication, authorization

Custom Authentication and Authorization is one of the most advanced ways

19 - Custom Authentication and Authorization

In the API Management policies, there is a separate policy for the JWT token which can be used to create a JWT token for our API.

Security-first API Program

In order to maintain high security for your APIs, the following are some tips

  • Bug bounty program
  • Dedicated security team
  • Enforced through DevOps, Azure Policy

API Management to the rescue

20 - API Management to the rescue

Conclusion

API security is one of the top concerns in embracing API strategies. In this session, you will get to know the common API security flaws, learn how to protect against them, and explore mitigation options if the worst happens.

Closing Notes – Saravana

Saravana Kumar, CEO of Kovai.co thanked all the Attendees of INTEGRATE2020 for attending the sessions. He also thanked all the team members who worked at the background for orchestrating this event. He even thanked all the Speakers of the event who worked despite different time zones and made this event even more special. Kovai.co once again proved its dedication with regards to community activities and showed how we give back knowledge to the society. He also talked about the current situation and intimated all to be safe. Finally, Saravana informed the attendees about the survey forms which could helps kovai.co to build this event stronger next year.