Beruflich Dokumente
Kultur Dokumente
(https://nordicapis.com)
MENU
Blog
(https://twitter.com/intent/tweet?
(https://www.linkedin.com/shareArticle?
(https://www.facebook.com/sharer.php? url=https%3A%2F%2Fnordicapis.com%2F9-
url=https%3A%2F%2Fnordicapis.com%2F9-
u=https%3A%2F%2Fnordicapis.com%2F9- questions-for-top-level-api-security-
questions-for-top-level-api-security-
questions-for-top-level-api-security- auditing%2F&text=9+Questions+for+Top-
auditing%2F&title=9+Questions+for+Top-
auditing%2F) Level+API+Security+Auditing)
Level+API+Security+Auditing)
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 1/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
(https://19yw4b240vb03ws8qm25h366-wpengine.netdna-ssl.com/wp-content/uploads/9-Questions-for-Top-Level-API-
Security-Auditing.png)
One of the most important things any API developer can realize is the fact that, as a data handler, they have some of
the most important legal and moral requirements towards their data subjects of any technically oriented
organization.
The fact that consumers entrust developers with their data at all is predicated upon the idea that this data will be
secured, that the API itself will be bolstered against attacks, and that the API provider is doing everything within their
power to continually secure themselves against potential threats. With this in mind, the idea of auditing API security
is extremely important.
Today, we’re going to do exactly that. We’ll discuss 9 questions that every API provider should ask
themselves when it comes to security. While this is one potential guide for high-level API security auditing, we
hope it will be a jumping off point toward more specific questions along the API lifecycle.
Of course, there are strong systems to implement which can negate much of these threats. Following a few basic
“best practices” for security (https://nordicapis.com/why-api-security-is-more-important-than-ever/) can negate a
bulk of the vulnerabilities, and as such, these best practices should be seen as a first line of defense.
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 2/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
Auditing can help expose wasteful endpoints, duplicate functions, consistently failing calls, and more, which if
reduced makes for a more maintained, and safer codebase. This also has the added effect of producing clearer
documentation, and taken to its logical conclusion, can make version management and iteration that much easier
and effective.
In other words, a security audit is not just a good idea in terms of securing your API – it’s a good idea for securing
the health of your API program, too.
Business Questions
When we discuss business considerations, what we’re really looking at is the fundamental way in which the core
business competencies drive the API design and function. In other words, we’re looking at how the API supports the
business itself, and thereby identifying the various security concerns fundamental to the business functionality. This
includes how information is collected, how that data is retained, and various other aspects concerning partners and
internal policies.
The biggest impact here is the fact that with greater amounts of collected data,
the data pipeline loses efficacy, and can potentially betray user privacy
expectations. This, together, makes the API a larger target, and thereby
decreases the overall security. An API should do much while exposing little – in
other words, it should provide excellent functionality without exposing exactly
how powerful it is.
If your API exposes massive amounts of data, from a pure cost/benefit analysis,
you are going to be a target. Furthermore, if you are breached, especially if
you function in any capacity with EU data or are under EU data protection laws
(https://nordicapis.com/complying-with-tough-new-eu-rules-on-data-
(https://19yw4b240vb03ws8qm25h3 protection/), your punitive possibilities are extreme.
66-wpengine.netdna-ssl.com/wp-
Look at your API, and reduce data collection to only that which is necessary.
content/uploads/Data-privacy-
Obtain explicit user consent for that collection – an “opt-out” option is no
APIs-GDPR-EU-regulation.png)
longer effective and, in many cases, does not guarantee GDPR compliance.
Understand new EU data protection laws
(https://nordicapis.com/complying-with- Obfuscate data (https://nordicapis.com/securing-your-datastream-with-p2p-
tough-new-eu-rules-on-data-protection/) encryption/) where appropriate, especially on endpoints. Most of all, minimize
your attack surface as drastically as possible while still allowing the basic
business functionalities required.
The unfortunate reality of data exposure is that most threats are not from external sources, but from internal threats,
poor security policies, inadequate training, and simple malfeasance. Even if the threat is not cognizant or purposeful,
simple human error can be much more damaging than any external attack due to the nature of internal access to
resources.
Thankfully, this area of threat can be mitigated perhaps more effectively than any other area in this auditing process.
Internal security policies are stated by internal members, and as such, can be tailored to your specific
organizations, its eccentricities, and its general weaknesses.
Hardening processes against social engineering, for example, can be relatively simple if systems are locked out from
access until the client provides two-factor identification, thereby removing the inherent insecurity of secret
questions.
IP theft can be prevented by separating systems and ensuring that clients accessing content via an API on a secure
server (https://nordicapis.com/the-benefits-of-a-serverless-api-backend/) and have their traffic routed independently
of other, less secure traffic sources.
Something as simple as ensuring proper distribution of responsibilities and powers amongst your employees can
go a long way towards ensuring security of this type and mitigating most common threats.
When you share data from your API with other third parties (https://nordicapis.com/first-or-third-party-apis/), you
are relying not just on them securing the data they’ve gotten from you, but on their own security being stringent
enough to secure their own data and their own API. Due to the nature of a business-to-business application, these
types of integrations tend to form symbiotic chains between the API partners, meaning what affects one partner will
likely affect the other.
In other words, if a partner’s system is compromised, there is the serious and real threat that endpoints that aren’t
meant to be exposed would in turn be exposed, thereby transferring much of the impact from an external point of
failure onto your internal systems.
Accordingly, any business security review must take into account an audit on external partners, their various
policies, and the systems into which they integrate your data stream. If you don’t have an SLA, or Service Level
Agreement, with that partner, or they aren’t 100% trusted and verified, they are not a partner you need to be
providing heightened access to.
Partner API Security Case Study: Cambridge Analytica & Facebook (https://nordicapis.com/learning-from-the-
cambridge-analytica-incident/)
Technology Questions
Technology concerns go beyond these business questions, and instead look at the technological implementations
of the core business competencies and their related functions. This is often the focus of most security audits and
implementations, and while this is an extremely important aspect of this auditing process, it is only part of the bigger
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 4/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
picture.
Addressing your encryption methods and ensuring that they are adequate and secure is extremely important. While
at rest encryption is obviously important, it’s also just as important to ensure encryption in transit. The amount of
data pushed over HTTP is insane when one considers that HTTPS is much more secure and very easy to set up. It’s
not a perfect solution, sure, but it’s a better solution than sending over the clear, and when paired with other
advanced encryption, makes for a secure pipeline for data transit.
These are often missed or ignored, especially when the vulnerabilities seem
small. The reality is a single small gap can cascade across multiple endpoints and products, resulting in a much less
secure system, and a propagation of weakness across the entirety of the system.
A big vulnerability, often associated with online databases, is using default settings and setup values. While it might
seem easy to just click a button and set up a default server, in some cases, this can leave data unencrypted, easily
grabbed, and sent over the clear. In fact, many of the most high profile data breaches (https://nordicapis.com/high-
grade-api-security-for-banks/) of the last ten years have occurred simply because the databases in question or the
services that secured them had little to no encryption and utilized default securing credentials.
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 5/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
As such, vetting your customer base is a massively important issue for any
secure API. Make sure that customers are using their data access for the
proper reasons, and most importantly, establish a way to track baseline usage
and ensure that any deviations are properly addressed and managed.
An example of this type of threat would be the massive data misuse from
Cambridge Analytica (https://nordicapis.com/learning-from-the-cambridge-
analytica-incident/). The organization data-mined information from an app that
was published on Facebook for “academic purposes,” and used that data for a
multitude of different uses – all in violation of the terms of services from
Facebook itself.
(https://19yw4b240vb03ws8qm25h3
Another great method of dealing with these concerns is to grant new
66-wpengine.netdna-ssl.com/wp-
customers rate-limited starter accounts until they’ve shown that their purposes
content/uploads/Terms-of-service-
are legitimate and their usage allowed. Another method is to tie into other
platform-policy.png)
federated networks with trusted userbases, allowing trust to be established by
A human-readable developer policy
(https://nordicapis.com/a-humans-guide- trusting their history on other networks.
to-drafting-api-platform-policy/) is the
first step toward enforcing API terms of Regardless of how you ensure your customer is trusted, this is of paramount
service. important to a secure API. Most attacks are going to originate from the inside,
not from random outsiders.
Consider how the frontend operates. Does the API secure keys (https://nordicapis.com/why-cant-i-just-send-jwts-
without-oauth/) properly in transit? Is the key used for total authentication, or just as part of the process? Ideally, a
key should start the process of identification (https://nordicapis.com/scim-building-the-identity-layer-for-the-
internet/), but not solely prove ownership, thereby limiting damage. Are user rights escalation limited, or is there an
automatic system given their subscription level? These systems can be broken and users can sometimes maliciously
escalate their own privileges.
All of this is often overlooked, but it bears discussion – a frontend is just like your front door, and as important as we
consider locking our front door when leaving the house, so to should we treat our frontends with ample security!
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 6/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
Additionally, consumer support systems can be leveraged as a method of reporting and identifying these issues
before they become larger than they already are. Simple reporting emails, a live support chat, or even a bug hunting
reward program can go a long way to ensuring users are reporting issues when they’re discovered, thereby having
an overall strengthening effect on your API.
Being proactive in this realm is hugely important. After all, if your users can find and exploit these issues, sometimes
even accidentally, then you can be sure that attackers can as well – the only difference being that attackers won’t be
kind enough to notify you as to the exposure, alerting you there’s a problem at all.
Conclusion
Security is an extremely serious and important part of any API, and as such, it
should be given the importance and weight that it deserves. These 9 basic
questions can do a lot of audit security, and frankly, they’re not that difficult to
address – adopting them as a frame of mind not only results in a greater
amount of security immediately, but has a compounding effect when used as a
structure for secure development.
Considering the possible fines, not to mention the loss of trust and commerce
that can come from being exposed or having an API used for nefarious
purposes, the benefits of adopting these questions and thinking hard about
security moving forward are immediate and compounding over time, delivering
(https://19yw4b240vb03ws8qm25h3 a safer, stronger, and more reliable API ecosystem.
66-wpengine.netdna-ssl.com/wp-
content/uploads/api-security-
audit.png)
Head to our API Security Insights page
(https://nordicapis.com/api-
insights/security/) for more on securing
APIs!
(https://nordicapis.c
om/author/sandova
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 7/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
Latest Posts
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 9/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
(https://nordicapis.com/events/livecast-maturing-platform-security/)
(https://nordicapis.com/events/platform-summit-2020/)
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 10/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
(https://docs.google.com/a/twobotechnologies.com/forms/d/12Ng9A_QKUjmAHDgv8Pxb4uLIkECGJawV3vwAWJ4WxTs/viewform)
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 11/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
High impact blog posts and eBooks on API business models, and tech advice
tim@apple.com
Subscribe
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 12/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
Write
(https://nordicapis.com/create-with-us/)
Speak
(https://nordicapis.com/call-speakers/)
Sponsor
(https://nordicapis.com/about/contact-us/)
Events
Platform Summit 2020 (https://nordicapis.com/events/platform-summit-2020/)
Blog
Blog (/blog)
Marketing (https://nordicapis.com/category/marketing/)
Platforms (https://nordicapis.com/category/platforms/)
Security (https://nordicapis.com/category/security/)
Strategy (https://nordicapis.com/category/strategy/)
Design (https://nordicapis.com/category/design/)
Resources
E-books (/api-ebooks/)
About
About (https://nordicapis.com/about/)
Press (https://nordicapis.com/about/press/)
Volunteer (https://nordicapis.com/student-volunteer/)
Social
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 13/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
leffect/)
Kristopher Sandoval
(https://nordicapis.com/author/sandovaleffect/)
Kristopher is a web developer and author who writes on security and business. He has been
writing articles for Nordic APIs since 2015.
(https://www.linkedin.com/in/kristophersandoval/)
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 8/14
6/19/2020 9 Questions for Top-Level API Security Auditing | Nordic APIs |
s://www.linkedin.com/company/nordic-
(https://www.facebook.com/NordicAPIs) (https://www.youtube.com/user/nordicapis)
apis)
https://nordicapis.com/9-questions-for-top-level-api-security-auditing/ 14/14