API Security Standards and Protocols: A Primer
November 22, 2023
Recent API breaches drive home the urgency of robust security.
In the T-Mobile data breach, for example, the attackers exploited vulnerabilities in an API to compromise sensitive customer data.
This incident exposed millions of users to potential identity theft and underscored the devastating impact of API security lapses. Infiltrating through the API, the attackers gained unauthorized access to customer records, emphasizing the need for comprehensive protection measures.
While this is just one example, there are hundreds of undisclosed API security breaches in the wild.
This blog lists the top API security protocols you must remember to secure your API endpoints.
The first step in securing an API is to use strong authentication and authorization mechanisms. In this space, SAML, OAuth 2.0, and JWT are security standards that one should know.
SAML (Security Assertion Markup Language)
SAML is an XML-based standard for exchanging authentication and authorization data between parties between an identity provider (IdP) and a service provider (SP). It’s commonly employed for single sign-on (SSO) scenarios.
OAuth 2.0 (Open Authorization)
OAuth is a widely used protocol for authorization. It allows third-party applications to access resources on a server on behalf of a resource owner (user) with the owner’s permission. OAuth is often used to secure APIs by managing access tokens.
Proof Key for Code Exchange (PKCE)
PKCE is an extension to the OAuth 2.0 authorization framework that adds an additional layer of security for public clients, particularly in mobile and native applications.
JSON Web Tokens (JWT)
JWT is a concise and URL-safe method for conveying claims between entities. It is often used for authentication and information exchange between parties. JWTs are commonly used as access tokens in OAuth 2.0 implementations.
API Keys
API keys are a simple form of authentication, assigning a unique key to each user or application accessing the API. This key must be included in each API request for authentication.
While the above are protocols, we have tool stacks that use the above and offer Identity and Access Management as a SaaS stack. Two terms to be familiar with are OpenID Connect and System for Cross-domain Identity Management (SCIM).
OpenID Connect
Built on top of OAuth 2.0, OpenID Connect is an identity layer that enables authentication. It provides a standard way for clients to verify end-users’ identity based on the authentication performed by an authorization server.
System for Cross-domain Identity Management (SCIM)
SCIM, like OpenID connect, leverages protocols such as SAML and OAuth 2.0 to provide authentication, authorization, and identity management as a platform. Popular tools that do this include Okta, OneLogin, Auth0, and so on.
Once the authentication, authorization, and identity management are taken care of, the next step is understanding the API security protocols for secure data exchange.
HTTPS
While not specifically an API protocol, using HTTPS is fundamental for securing API communications. It encrypts the data transmitted between the client and the server, preventing eavesdropping and man-in-the-middle attacks.
Transport Layer Security (TLS) and Mutual TLS
TLS is the successor to SSL (Secure Sockets Layer) and is used to secure communications over a computer network. It ensures the confidentiality and integrity of data exchanged between systems.
Mutual TLS, also known as client-certificate authentication, involves the server and the client verifying each other’s identities using digital certificates. This adds an extra layer of security to API communications.
JavaScript Object Signing and Encryption (JOSE)
JOSE is a set of standards that define methods for securing the content (such as JSON data) at the application layer. It includes standards like JWS (JSON Web Signature) and JWE (JSON Web Encryption).
Cross-Origin Resource Sharing (CORS)
CORS is a security feature implemented by web browsers that controls how web pages in one domain can request and consume resources from another domain. Properly configuring CORS headers is essential to prevent unauthorized access to APIs from web applications.
CBOR Object Signing and Encryption (COSE)
COSE is a set of standards for signing and encrypting data structures encoded in Concise Binary Object Representation (CBOR). It can be used for securing data in APIs.
Hash-based Message Authentication Code (HMAC)
HMAC is a method for generating a message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It’s often used to verify the integrity and authenticity of API messages.
Combining API keys with HMAC can provide a secure way to authenticate and verify the integrity of API requests.
X.509 Certificates
X.509 is a standard for public-key infrastructure and is often used for securing communication channels in conjunction with TLS/SSL.
While this article discusses various API security standards and protocols, in this article, we cover 12 ways to secure APIs against attacks.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
