REST API Security: How dotCMS APIs are SecuredAug 17, 2021
The world is becoming increasingly reliant on API-based software and digital services. According to recent research from Cloud Elements, 83% of surveyed IT executives consider API integration to be critical to their business strategy. 77% of these executives have also invested in API management.
REST APIs have become ubiquitous in every industry including healthcare, finance, government, and retail. That’s why ensuring API security has become one of the most important considerations when designing modern applications. If REST API security isn’t taken seriously you will face potential security risks. In this article, we’ll take a look at API and specifically REST API security as well as share some best practices to keep your APIs safe from cybercriminals.
The Role of APIs In Business
According to Gartner, an API (Application Programming Interface) is an interface that “provides access to service functionality and data within an application or a database.” In a restaurant, for example, the kitchen would be the system where your order gets prepared and the API is the waiter that gets your order and serves you your food.
APIs make it easier to integrate and connect people, places, systems, and data to create digital experiences, share data, and authenticate people and services. APIs enable interconnectivity regardless of the users’ platform and data structures. This potential has led businesses to realize that APIs are, in fact, critical components of every enterprise software solution out there. This has created the API economy which refers to the business models and practices that APIs —along with the digital transformation— have created in modern business environments.
In fact, the impact of APIs as business drivers can be felt in three different ways:
- For the consumer: The shift from single-channel experiences to omnichannel experiences has created a need for APIs to connect these devices.
- For developers: APIs have made possible the shift from the monolithic architecture to an API-first and microservices-based software architecture.
- For infrastructures: APIs make cloud deployment possible and facilitate quick data provisioning with faster outcomes when compared to on-premise deployment.
One of the central tenets of the API economy involves exposing a company’s digital services and assets through APIs in a controlled manner. Here’s where API security becomes a concern: If APIs are important as a business driver, then their security shouldn’t be an afterthought. Let’s take a closer look at the concept of API security.
What Is API Security?
We’re living in an increasingly connected world. According to Akamai, API calls make up for 80% of overall internet traffic. Since an API exposes an interface to a web application, they operate on two levels. Firstly, they act as a bridge between you and the interface. Secondly they access both the application and the database. This gives cybercriminals two potential attack surfaces to gain access to your assets.
Therefore, you need to think of API security in two layers: the API and application layers.
- On the API layer, you need proper authentication, authorization, and access privileges to ensure that only people with the right credentials can use your interface and they can only execute the applications that you allow them to access.
- You need to ensure that your application endpoints (the URLs you’re using to access the API interface) aren’t vulnerable to cyberattacks that could extend beyond the interface on the application layer.
As we mentioned earlier, businesses use APIs to connect services and transfer data. Broken, exposed, or hacked APIs can expose medical, financial, and personal data. However, API security depends on the kind of data that’s being transferred.
For instance, REST APIs use HTTP and support Transport Layer Security (TLS) encryption, a standard encryption that keeps your internet connection secure, and checks that the data shared between the two systems and APIs are encrypted and unmodified. This means that if someone is trying to access your information or expose your details, they won’t be able to.
Why Do APIs Get Attacked?
Before APIs, legacy IT security practitioners secured the whole system and the perimeter using firewalls. Now with the API economy and cloud infrastructure, there is no traditional security perimeter. APIs are the last line of defense making them a juicy target for cybercriminals.
In fact, a recent report on API security conducted by Salt Security found that 91% of the companies surveyed suffered an API security breach last year and that 54% of them reported vulnerabilities. 40% of those vulnerabilities pointed to authentication issues, and 20% were caused by malicious software bots and data scraping tools.
Hackers have long used forged or stolen credentials to exploit applications on the internet. In this respect, APIs provide another avenue to apply the same attacks. However, APIs also open unique attack vectors leveraging identity. A number of these attacks exploit standard bad practices originating in the web app development community.
As developers move into API development, they often bring bad habits from conventional web development. Other attacks result from widespread confusion about how APIs differ from traditional web app development. Many applications publishing APIs require clients to use an API key to access their functionality.
Now that you know the importance of API security and why APIs are such an important attack vector, let’s see how you can protect yourself against cyberattackers by following some API security best practices.
API Security Best Practices
Take these security best practices into account every time you’re designing or using APIs.
- Always Use HTTPS: HTTPS is a secure protocol that generates a random access token every time you enter a website, and a session is created. That way, your session stays private and safe from cybercriminals every time you access a site. If you notice you’re accessing an HTTP site, be careful as it might introduce unwanted vulnerabilities into your system.
- Use Password Hash: Protecting your passwords and login data using hashing helps you keep your system safe and minimize the damages a hacker might do. Consider different hashing algorithms such as PBKDF2, bcrypt, and scrypt to keep your APIs and login data secure from evil eyes.
- Never Expose Information On Your URLs: Sometimes, usernames, passwords, session tokens, and API keys may appear in the API call’s URL. This kind of information presents a vulnerability that can be captured in web server logs, which makes them easily exploitable by hackers.
- Leverage OAuth: OAuth enables you to connect to other services without using a password. Using OAuth for your APIs helps keep them secure because the consumer isn’t giving their credentials to the server. Instead it gives the API a token provided by a third party, preventing the consumer from disclosing their information while at the same time protecting the API provider from malicious attacks looking to steal API users’ information.
- Use A Secure CMS: A secure CMS like dotCMS takes care of all these details for you, giving you the peace of mind you need to focus on your business and direct your IT time to higher-value tasks. A CMS helps you control access to your APIs and gives you the tools to rapidly handle your API requests, define endpoints, and manage authentication for REST and GraphQL APIs.
How dotCMS Ensures Your API Security
dotCMS gives you control over your APIs, enabling you to take part in every step of the process including API design, security, versioning and retiring. Due to its API-first approach, it also gives you the ability to leverage APIs for your content delivery needs.
API security breaches can be scary but you can protect yourself using a CMS like dotCMS. dotCMS provides modern tooling that allow responsible developers and administrators to deliver the most secure content managed sites and content applications available. dotCMS is primarily concerned with security issues that arise from the dotCMS tooling itself, the admin console, and related web services.
Your platform’s security is of the utmost importance to dotCMS, our user community, and our customers. dotCMS strives to ensure the safety and integrity of all dotCMS installations and has processes in place to ensure all security issues are promptly addressed, and customer exposure is minimized.
Leveraging APIs and making use of dotCMS’ API architecture is worth the effort. Knowing how to protect yourself against malicious actors will make a huge difference in your API security. A headless CMS like dotCMS can help you cover your blind spots so you can focus on growth. Read more about our security policies and practices here: Security Best Practices in dotCMS.