GUEST COLUMN
How to build an API with security in mind A business should protect their API endpoints by using an API gateway that provides robust authentication, authorization, and continuous auditing capabilities.
A
pplication programming interfaces (APIs) are the preferred means of connecting modern applications and have become an indispensable part of application development. Businesses rely on them to share data with developers, third parties, and customers. However, the data they handle and the endpoints they access also make them an attractive target for hackers looking to illegally access sensitive organization data. While you can add security features to APIs during or after deployment, it’s often not enough. To properly secure them, you need to include security in the design phase and build it from the ground up. This gives you a better chance of protecting your API from threats.
Build APIs with a security foundation Security is a constantly evolving challenge. Cybercriminals are always looking for new ways to exploit vulnerabilities to their benefit. This is why it is important to consider security requirements from the beginning. You must deliberately design what should and what should not be allowed rather than trying to patch things further on in the process.
Design security Building a secure API starts before a developer writes their first line of code. It begins when they design how the API will work, who it will serve, and what information it’ll carry. So, this
70
EC JUNE_2023.indd 70
MEA
should be addressed before development is in full swing. Thinking about it this way allows for the seamless application of security controls and practices as you build the API. One group that is almost always going to be affected by additional API security measures is the users. For instance, some security measures will require them to provide their credentials regularly. This jumping through hoops degrades the user experience. That’s why engaging users in the initial design stage is essential.
Security focal points There are three focal points that a developer has to consider while creating a secure API. They include authentication, authorization, and auditing. Let’s discuss what each one entails.
1. Authentication Authentication involves determining who a user is. Some methods that can be used to authenticate API users include API keys, HTTP basic authentication, OAuth authentication, and Multi-Factor authentication (MFA). l HTTP basic authentication: This involves combining a username and a password, encoding them, and including them as a special HTTP header in every request. Before a server can process a request, it verifies the client’s identity using the sent credentials. l API key authentication: This involves including a key with a long series of numbers and letters in the header of every request. The server grants an API key to each user and identifies the client making that request using their API key.
J U N E 2023
6/16/2023 5:37:16 PM
