Developers are expected to deliver secure applications, which means they should also focus on API security. In this article, Renjith Babu, VP of solution engineering, Cloudentity, discusses in detail the four criteria developers should consider for developing secure APIs.
Developers face increased pressure to deliver secure applications in the development phase. Accordingly, aspects of API security are non-negotiable for secure applications. This article will explore four criteria developers must consider when building applications: data leakage, authorization, governance, and consent.
Data Leakage
Just because we can secure the way data is shared does not mean that we want to share all that data all the time — we refer to this very common phenomenon as “data leakage.†Solutions that can eliminate unnecessary data leakage are critical to the success and security of modern applications. API policy-based governance is a good start to eliminating data leakage, while policy-based governance can be expanded to tools that dynamically observe API traffic and detect API data change. Using API policy-based governance also allows developers to tag/apply new policies to reduce the threat vector for data leakage.
Authorization in Applications
Software engineers continue to use a decentralized management approach to authentication and authorization within a company’s API and service portfolio. Such an approach could allow threat actors to perform account takeovers or steal identities by targeting the application’s weakest links. According to Verizon’s 2022 Data Breach Investigations ReportOpens a new window (DBIR), most incidents involving privilege misuse, where people use the legitimate access granted to them to steal data (customer, employee and partner data), will result in successful data breaches.
Developers should enforce open standards, like OAuth token-based access control, to the APIs in a centralized manner. There should be more emphasis on tighter scoped transactional tokens with a very targeted audience and short life span in contrast to bloated token patterns with high TTL. This approach significantly reduces attack vectors and reduces token reuse and replay patterns. Developers should also consider incorporating the more advanced OAuth profiles and models into application architectures. The advanced OAuth profiles security and usage have already been proven in various financial API grade specifications used globally in Open Banking and Open Data initiatives. Furthermore, developers should work towards a Zero Trust model within the application’s infrastructure to continuously authorize application calls and users accessing applications.
GovernanceÂ
Data governance is experiencing a major transition as enterprises are increasingly adopting open data policies in place of closed data governance models. This is due to a variety of benefits offered by open data, including enhanced application capabilities, services offered, customer insights and user engagement. Open data is the practice of enterprises aggregating and sharing customer data with specific corporate divisions and third-party service providers while still adhering to granular data protection controls and permissions and with explicit customer consent (more on that in the next section).
GartnerOpens a new window predicts that 2022 will see APIs as the most frequent attack vector causing data breaches for enterprise applications. Developers might be completely unaware of the sensitivity of certain data elements exposed via APIs in varying jurisdictions, so they should provide data-level governance to control the distribution of data and prevent breaches. API access level controls are needed in applications to observe, monitor, and govern the data shared across the APIs and the authorization context of users/applications requesting such data.Â
Central policies governing data access that is based on user/application context, location, threat factor, and risk scores can effectively enforce data access outside of the developer realm. A centralized approach to enforcement also ensures there is an audit trail of generated events to mitigate/triage any suspicious behavior or threat incidents.Â
See More: Technical Debt: How to Tame the Sleeping Giant in Your DevOps Team
Consent
User consent is becoming very critical as more regulations, like Payment Services Directive Two (PSD2) in the U.K. & EU, Consumer Data RightOpens a new window (CDR) in Australia, Open Banking etc., are explicitly moving towards requiring a user’s consent for how their data is used within an application (or platform) or if they want their data shared with other third parties. PSD2 aims to increase trust between financial institutions and consumers by giving consumers more control and convenience by having their account and payment information centralized on a single device. Merchants seeking to take advantage of this directive will have to “radically rethink the way they obtain their customer’s consent to store personal data and ensure their processes and procedures comply with the General Data Protection Regulation,†according to Bryan Gaynor from J.P. MorganOpens a new window . Â
The Consumer Data Right (CDR), introduced in 2017, requires express consent from consumers for the collection, use, and disclosure of their data with the added condition that the consumer’s consent is only valid for twelve months. Developers should consider these regulations and the constantly changing international regulatory landscape when considering a consent management system or risk non-compliance.
According to the Harvard Business ReviewOpens a new window , “up to 90% of current IT budgets are spent simply trying to manage internal complexities, with precious little money actually spent on data innovation that improves either productivity or the customer experience.†Therefore, developers must have a solution for handling fine-grained consent of users’ data elements, such as personally identifiable information (PII), account information, etc., in their apps and services. This is to put users in control and remain compliant across a wide breadth of different, constantly changing regulations, all while improving productivity.Â
Building a consent management system from scratch is no easy feat. But luckily, developers can rely on solutions that provide this capability to integrate with their applications and ensure consent is collected and processed for the data sets to remain compliant with regulations. Some customer consent management and secure interaction workflows have also been standardized in OAuth financial grade API specifications and data sharing regulations for secure API access of consumer data across data holders and data recipient applications. Developers should embrace & adopt such standards and enhance the application security posture.
Conclusion
Each API in the enterprise must follow a continuous and dynamic authorization model geared towards achieving Zero Trust, from authentication to authorization, to mitigate the risk of leaky APIs which can compromise user data. To stay on top of this, development teams must have automated and intelligent authorization policies in place across all the organization’s APIs and data surfaces. Also, to remain compliant with data privacy regulations as well as the expectations of today’s consumers, data-level governance and consent must be baked into all applications.
What steps have you taken to develop secure API? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
MORE ON DEVOPS:Â