What is a REST API?
The concept of REpresententional State Transfer (REST) dates back to a 2000 doctoral dissertation by scientist Roy Fielding. In the decades since then, REST APIs, sometimes referred to as RESTful APIs, have evolved to become a very popular API architecture model for web and mobile applications, as well as business-to-business applications and organizations’ internal systems.
While other API approaches such as SOAP, GraphQL, and gRPC are also used in many implementations, REST APIs are the most widely used, mostly due to their ease of implementation. A REST API design is very easy for modern front-end frameworks to consume, making it a popular choice for web applications, mobile applications, and many internal and B2B API implementations.
What are REST API Security Best Practices?
While REST APIs can be implemented in a highly secure and resilient manner, there are a number of foundational API security standards that are critical to any implementation. The following are some of the best ways to build security into a REST API design.
- Always use TLS encryption
As with other types of sensitive HTTP traffic, using TLS for RESTful APIs will ensure that all communication between the API consumer and the API endpoint is encrypted. This is as important for REST API security as for web app security, since the resulting HTTP traffic includes sensitive authentication details, such as passwords, API keys, or tokens.
- Implement a sound and scalable authentication and authorization model
Many different techniques can be used to manage access to REST APIs. The most commonly used are API keys and security tokens. Managing keys and tokens can be quite complex. This often leads to unintentional REST API security vulnerabilities. This risk can be mitigated by integrating with an OAuth2-compatible identity management provider for authentication and issuance of access tokens. A centralized API gateway can also be used to standardize and de-risk your REST API security approach.
- Don’t include sensitive information in URLs
A common REST API design flaw is the inclusion of sensitive information, including user credentials, keys, or tokens, in URLs. Even when TLS is in use, this information is still easy for threat actors to discover. URLs are also frequently logged by various servers and networking devices along the API request’s data path, resulting in further data leakage if the URLs include sensitive information.
- Narrowly define allowed RESTful API requests and responses
It’s important to assume that threat actors will attempt to use APIs in malicious or unintended ways. Therefore, it’s important not to implicitly trust RESTful API requests. One of the most important steps to take is to validate attributes like the format, length, and type of any parameters or objects. You should also tightly govern the types of responses that the REST API can provide. For example, responses should be limited to explicitly allowed content types, such as GET, PUT, and POST.
- Implement continuous API discovery capabilities
Even organizations that adhere to REST API security best practices can be caught by surprise by shadow APIs that were implemented outside of normal processes or forgotten zombie APIs in legacy infrastructure that hasn’t yet been decommissioned. It’s therefore essential to implement continuous, enterprise-wide API discovery capabilities.
The best way to ensure that a complete inventory for all APIs exists is by collecting data from all available sources of API activity information. Examples include:
- API gateways
- Content delivery networks
- Cloud provider logs
- Log management systems
- Orchestration tools
Analyzing this data for evidence of API activity will ensure that your security team is aware of all APIs in use across the enterprise. Any unexpected REST APIs that are discovered can then be decommissioned or brought into a formalized inventory with the appropriate REST API best practices applied.
What are advanced REST API Security Best Practices?
While implementing a set of foundational security standards in your REST API design is an essential first step, these steps alone will not keep your applications 100 percent safe. Many threat actors have developed advanced techniques for circumventing baseline RESTful API security measures. After all, not every REST API security attack has the aim of breaching the web application infrastructure.
In many cases, the goal is simply to use API functionality in unintended ways to access sensitive data and gain a competitive advantage. These activities may originate from trusted sources, such as customers or partners who have been granted access to REST APIs. Credentials, keys, and tokens can also be stolen or hijacked, allowing threat actors to advance similar activities beyond your baseline REST API security standards.
The following advanced REST API security best practices can be used to provide added protection against these more sophisticated forms of API abuse.
- Use the cloud to collect large sets of REST API security data
Many first-generation API security techniques operate on-premises. As a result they are limited to analyzing very short windows of activity, after which the API data is discarded. This is ineffective since many types of API abuse are conducted in a “low and slow” manner over weeks – or even months. Sending API activity data to the cloud unlocks the scale needed to store API details spanning a month or more. This opens the door to more sophisticated analysis techniques.
- Apply behavioral analytics to your REST API data
Once you have a meaningful quantity of REST API activity information, you can also tap into the computing scale of the cloud to perform behavioral analytics. The first way that this enhances your REST API security strategy is by identifying the entities involved, so you have greater context. Entities may include users, as well as meaningful business processes.
Once you have this context, you can baseline normal patterns of usage for your APIs. From there, you can perform further analysis to spot anomalies. This type of anomaly detection is the best way to spot abuse, particularly when it originates from authenticated users.
- Provide insights about REST API usage to development and operations teams
One of the best ways to protect your organization from REST API security vulnerabilities is by avoiding them to begin with. Sharing information about how your RESTful APIs are being used – and abused – with your developers and operations personnel will help your organization “shift left” with better REST API security practices early in the development and implementation processes.
- Conduct proactive REST API threat hunting activities
It is important not to wait until REST API abuse escalates into a high-severity security incident to act. Proactively investigating REST API usage and looking for attempts at abuse – even if they are unsuccessful – will help you find weaknesses in your REST API security practices. Examining API usage activity is also an effective way to uncover the presence of REST API security vulnerabilities, such as those outlined in the OWASP API Top 10. Finding and eliminating these vulnerabilities before threat actors can exploit them is one of the most effective ways to enhance your REST API security posture.
Ready to get started?
Neosec helps some of the world’s most recognized organizations implement both foundational and advanced REST API security best practices. From API discovery to behavioral analytics to managed threat hunting, our 100 percent cloud-based approach will help you accelerate your REST API security efforts.
Interested in learning more? Visit neosec.com to request a free trial today.
API Security: Debunking the Myths
Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.DOWNLOAD NOW