The API Security Checklist

API services are not a new thing. These days, they’re pretty much everywhere – API solutions are used in pretty much all industries ranging from automobiles to information security. Even BreachDirectory has an API service available for use – the features provided by the API let companies and individuals protect their staff and themselves from data breaches and identity theft, however, no matter what kind of API is being used, all APIs need to be built in a safe and secure fashion. In this blog, we will provide you with a checklist that will help you ensure that the API your company finds itself using is secure.

The Basics First

First, the basics – no API is going to be secure if the service it’s backed doesn’t use SSL. Ensure the website or application that provides the API follows industry-standard security practices: that might mean it’s using a WAF to protect itself from attacks, compliance with ISO 27001, etc.

Once you’ve got the basics out of the way, it’s time to investigate the offerings of the company itself. What is the company offering? What problems are solved by the software it builds? Who are its clients? Answer these questions, and the problems solved by the software that is being built should inevitably lead you towards the API offering. Investigate the API: check its documentation, ask around. Consider whether the problem it solves helps your use case as well – for example, the API provided by BreachDirectory solves the problem of identity theft by archiving loads of data breaches in one place and letting people search through them all at once by either scanning one account or using a bulk API scanner. The BreachDirectory API will provide you with results that will let you secure yourself, your employees, your loved ones, and yourself.

Other companies might solve different problems – dig into the problems solved by them, then proceed further.

The Security Checklist

Now for the security checklist itself. After you’ve investigated the API offering, make sure the API is also:

• Not providing unnecessary data – the whole point of API solutions is to provide data, but if the API provides way too much sensitive or unnecessary data, that’s not a very good sign. If that’s the case, please investigate the root cause of this issue.
• Ensure that the API is built and developed securely – that can be done by simply reading up on the documentation surrounding the API, or asking people who have already used the service.
• Ensure that the API is protected from abuse – check if the API is rate limited, read through its documentation, and ensure the API is safe to use.
• If you’re a developer building the API, be mindful of security misconfiguration and follow industry-standard best practices while building the API. Security misconfiguration is one of the most frequent security risks targeting APIs as a whole.
• Keep being mindful of the threats posed by insufficient logging and monitoring – keeping logs should help you to always be aware of the threats posed to the API. The implications of both insufficient logging and monitoring and security misconfiguration being exploited can be rather huge, so keep those flaws in mind at all times.
• If necessary, encrypt data – this point goes back to using TLS when necessary. Be exceptionally mindful about personally identifiable data like email addresses, usernames, IP addresses, and other data classes. If you allow users to decrypt or modify the data, ensure that only authorized users are allowed to do that.
• Trust nothing – never trust any input from the side of the user. This can be stated not only about API services but about security on the web in general: the less we trust the user, the less likely an attack becomes.
• Validate all parameters – validation goes hand-in-hand with the zero-trust philosophy. By validating all parameters that are offered to your users by the API you ensure that nothing malicious passes through.
• Consider using industry-standard application security firewalls (WAFs), IDS, or IPS systems – such systems help us either detect or prevent breaches, so if your API (or the application in general) is attacked, you will be the first to know. Familiarize yourself with the Defense in Depth principle – doing so will surely be a great start.
• Keep an eye on the application that is providing the API – make sure it’s secure and user data is kept safe from prying eyes as well.

Follow the steps outlined above, and your application should be well on the way to API security heaven. If you’ve enjoyed reading this blog post, we are certain that your company and its employees will make good use of the API provided by BreachDirectory – give it a go, make sure to follow us on Twitter and LinkedIn, and until next time!