API security is crucial for success. Every day, we face many risks and threats that impose different levels of danger, both known and unknown. We value security because it protects our time, resources, convenience, stability, and most importantly, peace of mind. Knowing that you are in good hands is rewarding. This article will discuss what API security is and why securing APIs and integrations is important. It will also provide tips for securing your APIs and integrations, particularly with MuleSoft Anypoint Platform.
Why securing APIs and integrations are important?
As the digital world has evolved, organisations have become reliant on APIs to connect multiple services and exchange data. API usage will continue to increase as it becomes an essential part of every organisation. However, since APIs enable access to a wealth of data and resources, they are becoming a primary target for sophisticated attackers. Therefore, it is important to prevent and mitigate these attacks.
OWASP (Open Web Application Security Project) a non-profit Foundation recently announced the API security top 10 vulnerabilities candidates for 2023, and so we’ve created seven (7) tips to help prevent most of these vulnerabilities as outlined below.
Tips in Securing APIs and Integrations
1. Secure your APIs during the design and planning process
Considering security during your design process is very important and key to your success. However, there are times when developers skip this part of the process and dive straight into development. By planning and documenting your APIs, you can gain a good understanding and visibility of your APIs, endpoints, and how they are being used.
It’s also important to keep documentation up-to-date as it will benefit your organisation with transparency. In the future, it will be easier to modify and maintain these APIs. When publishing different versions, the organisation also needs to plan when the older versions will need to retire. Unused or older versions which have vulnerabilities must be deprecated and decommissioned as soon as possible.
- Use RAML or OpenAPI to document your APIs.
- Define the security schemes/authentication to be used to secure your API and apply the security schemes to any/all resources using the secured by attribute.
- Define the allowed content types using the Content-Type and/or Accept header attributes.
- Set restrictions to resources by specifying the only allowed HTTP methods.
- Define and enforce validations on all incoming parameters and request.
- Define errors, response, redirects, rate limiting, cross-origin resource sharing (CORS) if any.
- Make sure to share the document to only those authorised to use the API.
Implementing the above would minimise these vulnerabilities: unrestricted resource consumption, authorisation, server side request forgery, security misconfiguration, improper assets management and unsafe consumption of apis.
2. Secure your APIs in Transit
When data is moving or in transit it is vulnerable to data manipulation and interception, to protect your data while it is being transferred use encryption protocols such as TLS.
Using Transport Layer Security (TLS) or also known as SSL (Secure Sockets Layer) is the standard security technology that works behind the scenes to keep online transactions and logins secure. Your organisation can implement TLS security in all of your Mule APIs, and this will ensure message privacy over the network and data integrity.
You can configure TLS settings at the application level or at the API proxy level, by adding the TLS Context using Anypoint Secrets Manager; and yes, this works for both API Manager and Flex Gateway. Implementing TLS would minimise vulnerability on your APIs, especially on security misconfiguration and unsafe consumption of apis.
3. Secure your APIs at rest
When data is at rest, it is also vulnerable to attacks. This includes not only application data but also metadata and system configuration data. Unencrypted data at rest represents a business risk as it can lead to identity theft, fraud, and theft of financial resources from employees and customers.
- Make sure to encrypt all your sensitive properties in the application using a secure algorithm such as AES-256, Blowfish etc. Check out more here.
- an alternative to encrypting sensitive properties, use a Vault e.g., Azure Key Vault, AWS Secret Manager, Anypoint Secrets Manager and etc to safely store these sensitive properties.
- Make sure to mask any sensitive properties in the logs, you can use dataweave mask for this.
- Mask all your sensitive runtime properties under the secure properties key in mule-artifact.json file. Read more on here.
Implementing this would prevent security misconfiguration.
4. Use an API Manager
Use API Manager or Flex Gateway in Anypoint Platform to be able to make use of the ready-to-use policies. These policies can help streamline your security process as it allows you to automate and add as many policies that your organisation require for robust security and no required changes on your API code implementation.
Using an API Manager creates a proxy to your API that serves as an imitation of the actual API. The proxy will serve as the first point of contact from any external access. Thus, any interactions will be filtered by the proxy, it evaluates, authenticates and authorise or reject at the gateway. Simply to say, it’s like your API is having a personal bouncer.
These are the recommended security policies in API Manager.
These are the recommended security policies in Flex Gateway.
Implementing a combination of authentication and authorization mechanisms and having a request/schema validation such as JSON/XML validation or Schema Validation would prevent vulnerabilities such as broken object level authorization, broken authentication, broken function level authentication and broken object property level authorization.
It’s also a recommended best practice to automate these security policies via the automated policy feature in API Manager or via CI/CD pipelines using the Anypoint REST APIs. Automating them would[DB1] [JC2] also prevent lack of protection from automated threats.
5. Ensure your APIs are comprehensively tested
Secure your APIs by setting up different levels of testing and ensure regular testing on security.
- Unit Test
- Integration Test
- Functional/System Test
- Users/Acceptance Test
- Performance Test
Write test cases of positive and negative scenarios from a security perspective, one way to test is to try hacking your API. Writing test cases to test the authentication and authorisation mechanisms is one of the preventions that would minimise vulnerability on broken object level authorization and broken authentication.
6. Secure your APIs by Setting up Proper Monitoring
As a best practice, you can enforce the Quality-of-Service policies in API Manager to assist on performance and monitoring on your APIs, monitoring plays a very important role in security. Most malicious attacks don’t get noticed because there isn’t enough monitoring being setup, however most activities are being logged but by default these don’t alert or notify someone so it’s important to setup proper monitoring.
Either create custom alerting in your APIs or set up Alerts in Runtime Manager and in API Manager.
If your organisation has Titanium License, you can use Log Points in Monitoring instead of adding custom logging in your API implementation, so your API code will be cleaner, and your flows focuses on business functionality.
Implementing a combination of any authentication/authorisation mechanisms and adding Rate Limiting is one of the preventions that would minimise vulnerability on broken authentication.
7. Use API Governance, API Groups and Business Group
Helps organisations ensure their APIs achieve and follow consistent quality and standards.
When creating your profile, you can choose on industry best practices for your APIs to conform to.
Advantages of using API governance
1. Platform doing the checks constantly
2. Provide recipes for your organisation, one of the recommended is the OWASP API security TOP 10 2019 and a few other best practices.
If the rulesets your organisation requires is not mentioned in the out-of-the-box then you can create your custom ruleset.
The Platform will help you find vulnerabilities in your APIs based on your organisations/industry’s best practices and this notifies you, and then you can plan and enhance and improve your API’s security to follow the security standards suggestions.
Using API Groups in API Manager allows you to package your APIs and resources by domain or types. You can customise instances of the group with SLAs and rate-limiting conditions based on the organization’s requirements and you can manage the contracts in it. These groups can be published in Anypoint Exchange and can be shared to your team or other consumers.
Business Group in Anypoint Platform will allow you to separate teams, users and resources and isolate them from each other.
Take note that you are allowed to create up to 100 business groups per organisation.
Using this strategy allows you to fine-grain access control thus only allowing users to access the business group they belong to and to the APIs and resources in that business group. And would minimise vulnerability on broken object level authorization.
You can set automated policies per Business Group and these policies will automatically be applied to all deployed APIs under that Business Group. The platform handles all the checks and automation for your organisation.
The checks and automation would prevent lack of protection from automated threats.