An application program interface (API) is simply an extension of an already functioning application, added to help users interact with it programmatically.
APIs can be used for a variety of reasons, including pulling data from a database, sending data to be stored in a database and pushing jobs to a queue, but their main purpose is to help users interact with the application using a program or a script for the purpose of automatizing. While working in a virtualization environment without API support, every action has to be manually invoked by a user. If there are thousands of virtual machines, every action will have to be manually executed separately on each virtual machine to result in the desired outcome. This process would be slow and cumbersome, which is why APIs are available -- they provide automatized interactions with an application without performing any actions manually.
In this tip, we'll examine how APIs work in a cloud environment, including various types and their specific roles, and then review best practices for building a secure API in the cloud.
Types of APIs
When planning an API, it's important to keep the bigger picture in mind. Whenever a message is sent over a communication channel, some kind of protocol -- a set of rules known both to the sender and the recipient -- is needed for the message to be processed correctly. To maximize the security of API messages being transferred over the Internet, use a secure protocol. A secure protocol encrypts the data on the client -side before sending it over the network to the server -side, where the server decrypts and processes the data. Some of the protocols that can be used to securely transfer messages over the Internet include HTTPS, POPS, IMAPS, SMTPS, LDAPS, XMPPS, and more.
The data in the message can be represented in numerous formats, though the format used has no effect on security. Usually the messages are written in XML, JSON or HTML -- possibly all three in the case with ZAProxy -- so that end users have a choice when interacting with the application. The most important thing about APIs is that they are extensible and available through a number of programming languages, so it is easy to write a program to interact with the API in arbitrary programming language if proper protocols are used. A proper protocol allows easy interaction with the application and has been well-supported and tested over the years -- a well-known example is HTTP protocol. Some API types commonly used for exchanging messages over the Internet include REST, SOAP, XML-RPC and JSON-RPC.
Building a new API
When developing a brand new application programming interface for the cloud, it's important to address certain issues:
- Identity: Servers don't automatically recognize first-time users, so it requires proof of identity. Typically it asks for a user ID or a public key to uniquely identify a user. Unfortunately, the provided information is public, so an attacker can also classify as a particular user, however they won't be able to prove this conclusively.
- Authentication: To prove a user identity, the server automatically generates a challenge question. The challenge is known only to the user and can be a password, private key, token or something else.
- Authorization: Once the user proves his or her identity, access is requested from the specified application. Then the application checks whether the user is allowed to access the requested resource or perform a requested action before one is able to gain admittance.
See Infosec Institute's article on Building a Secure API in a Cloud Environment.
There are a number of techniques an application can use to identify and authenticate users:
- Username and password: A username and password pair provides user verification through a basic or digest authentication. Through whichever method used, the password in an HTTP request is unencrypted, so it is imperative to use a secure communication channel like HTTPS.
- Sessions: When the username and password are sent to an application, it responds with a cookie, which will then be sent in all subsequent identification requests.
- Certificates: A public or private key infrastructure can be used to authenticate users. This requires server and client certificates signed by a valid authority, which can be used to establish the legitimacy of the certificate.
- Open Authorization: OAuth is mainly used when one application uses another application on behalf of the user. For example, an application with a "Share to Twitter" button usually implements OAuth. This grants the application access to Twitter's API without revealing the password of the application.
- Custom authentication schemes: A custom authentication scheme can be used to identify and authenticate users through a proprietary protocol. A proprietary protocol is usually not a favorable choice because it is only used in one application. Known protocols are typically better because they minimize the time a user must spend learning it. A custom authentication scheme should only be used by top-notch security teams because it's an involved process where things can often go wrong.
- API keys: API keys are used to prove the identity and authenticity of the user during the first request sent to the server, when prior establishment of a session has not yet occurred. An API key is a simply a long, unique token known only to the application running on the server-side and the client sending in the API request. API keys can be better than usernames and passwords because of their increased entropy, tougher protection against attackers and limited disclosure of sensitive information.
These fundamentals underpin the creation of a secure API design, especially when building a custom API or even when using a cloud provider's API.
When choosing a cloud service provider (CSP), identify whether or not it is providing an API. Later on, an API will prove valuable for automating certain programs or scripts. The CSP should have proper documentation and security testing results, proving the legitimacy of its API design and security.
With a custom API, hire a security consultant or penetration tester to test the API on a regular basis; it's critical to test the API before it goes into production and every time there is a major code release. This will eliminate weaknesses in the API that could be used in an attack that compromises the security of application users.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance as well as security related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages and constantly writes security-related articles for his own website at www.proteansec.com.
Learn how API gateways have emerged to address a growing API security need.