Full disclosure, I work for an auth provider, FusionAuth, which generates tokens which are often used as authentication for APIs.
I was pretty disappointed by this article. I was part of a webinar on API security last year and that was deeper than this ( https://www.youtube.com/watch?v=W3-UH5A3Y8Y ) and it was a webinar :) .
The article did a good job of talking about the risks of API security, but other than a passing mention of OWASP and authentication (what does MFA with APIs even look like?) it didn't dive deep.
- Think about rate limiting, which requires you to understand your typical usage. You will have to tune this.
- Prefer token based solutions for authentication rather than API keys. API keys are easier to understand and implement, but tokens are self-expiring and can contain more information. OAuth2 is the go-to standard for this, but even a custom token solution is better than API keys (looking at you AWS: https://www.youtube.com/watch?v=tPr1AgGkvc4 )
- Build in defense in depth. If you can lock down access at the network level, do so. Use granular permissions. Build in auditability so that you know which users made which requests.
- Educate the business on the risks. The article had some good examples. It's not just about PII being lost, it's also about access being denied and even public information being scraped in an unintentional manner.
APIs are usually public (exposed to the Internet). This is why issues in authentication, authorization, configuration are commonly exploited.
That might be ok if you are Stripe and you have tens of millions of dollars of people and infrastructure to mitigate the risk of that Internet exposure. But what if you are not Stripe?
For example, you are a small team inside a financial services company and you need to expose your data (via APIs) to other teams (or to B2B partners), and your enviros are in different private or public DCs.
Historically, teams in those situations used private networks or semi-private networks - VPN, MPLS (ExpressRoute, DirectConnect), private mobile APN, whitelisted IPs, etc. But that's slow, costly and expensive with massive numbers of distributed API clients.
One answer to the above dilemma seems to be reactive API solutions. Constant scanning and reaction to problems. Great visibility. Quarantining. Etc. And of course doing your best to avoid auth issues, misconfigs etc. Is this generally the path which works for teams in that situation?
We’re actually working on our own API security feature and OWASP Top 10 is wheree we started. The peoblem is - it’s almost impossible to automate some of those checks without human input. So we’re working to make it as smooth as possible
I can tell you the origin story of it maybe you like it more. I was sitting on my balcony with my cofounder and we were thinking of names that had .com free and no registred TM. As you might imagine the list was pretty short.We had names like apilogger.com, apicapture.com, restlerr.com, apigga.com
We thought that it would be cool to have something with treble(high pitch sound opposite to bass) but the domain was taken. I also liked it because it was in the same keystroke as Trelloand i associate Trello with productivity. So we added another L and took home the win :)
I was pretty disappointed by this article. I was part of a webinar on API security last year and that was deeper than this ( https://www.youtube.com/watch?v=W3-UH5A3Y8Y ) and it was a webinar :) .
The article did a good job of talking about the risks of API security, but other than a passing mention of OWASP and authentication (what does MFA with APIs even look like?) it didn't dive deep.
Things to think about when securing your APIs:
- OWASP API Top 10 is a great starting point: https://owasp.org/www-project-api-security/ even though it hasn't been updated since 2019.
- Think about rate limiting, which requires you to understand your typical usage. You will have to tune this.
- Prefer token based solutions for authentication rather than API keys. API keys are easier to understand and implement, but tokens are self-expiring and can contain more information. OAuth2 is the go-to standard for this, but even a custom token solution is better than API keys (looking at you AWS: https://www.youtube.com/watch?v=tPr1AgGkvc4 )
- Build in defense in depth. If you can lock down access at the network level, do so. Use granular permissions. Build in auditability so that you know which users made which requests.
- Educate the business on the risks. The article had some good examples. It's not just about PII being lost, it's also about access being denied and even public information being scraped in an unintentional manner.