APIs are quickly becoming the most common vector of attack and breach in many organizations. Integrating and maintaining good API security is crucial, both to long-term security and to compliance. If you’re requesting a pentest of APIs or their endpoints, that pentest, or more likely, vulnerability assessment, is conducted with the intent of figuring out where prospective hackers can slip past that security.
If you’re requesting a pentest with Cyver, we can help you to identify potential vulnerabilities, access control issues, authorization problems, and more. But, we also want to ensure you’ve implemented basic security controls, have endpoints mapped, and understand where risks can come from.
List & Manage APIs
Most organizations use API. Most use more than one. It’s crucial that you inventory and manage a list of APIs, splitting them by private and publicly available. Managing those connections and their endpoints is part of security. After all, you have to be aware of an entry point in order to secure it. Basic perimeter scanning can help you to create a list of all available APIs, and in most cases, you can use a simple scanner to do so. Most basic Endpoint Detection & Response tools like Cynet, RSA NetWitness, FireEye, or CrowdStrike Falcon will help you achieve this.
Integrate Endpoint Controls
A single endpoint can have dozens or even hundreds of endpoints. Monitoring those endpoints is important. For example, you want to:
- Monitor endpoints continuously using a scanner to collect data on user access and authentication, communication protocols, and security events
- Establish behavioral guidelines for each device, detect suspicious activity, and flag potentially malicious activity
- Report incidents in real time to an established security control
Other API Security Best Practices
Of course, you also want to integrate basic security like:
- Setting your API to HTTPS communication only
- Limit the number of API calls your API can make based on reasonable expectations of use. That limitation might be hourly, monthly, or yearly But make sure it’s in place.
- API ID authentication
- Implement frameworks like OAuth for access controls
- Use one-way hashed passwords and private data
You might also want to implement more advanced security recommendations.
For example, if your API is used by a few known locations, you should always filter based on IP address. If you know where requests are coming from, restricting API calls to that IP address greatly increases the security of the API. If IP filtering isn’t an option, consider regional filtering. Block any regions where you don’t do business. In addition, maintaining the option to block regions – for example, if you’re being hit with an attack – can very quickly end that attack.
JWT – Another common and easy-to-implement security option is to switch authentication to JSON Web Tokens, where you can use tokens to identify credentials without actually sending those credentials.
Validate Input – Input validation is simple, but it’s also one of the most commonly found issues during an API pentest. It involves checking incoming data to ensure it meets expectations for format and content. If it doesn’t, the API should reject it. Why is it important? It prevents SQL injection attacks, which rely on the API simply accepting a call, without validating the content. Input validation may also be used to actually strip incoming requests of characters that may be part of malicious code.
Limit Client Behavior – Limit endpoint responses to filter malicious and misconfigured clients. Here, you should accept nothing but API specs and access code. Any improper requests should be returned with a 405 response.
Pentesting Your API with Cyver
Cyver uses a pentest management platform to help you manage and assess long-term security of assets like APIs and endpoints. When you request a pentest of your APIs, we can deliver a multi-endpoint vulnerability assessment, checking the security of the code, the endpoints, and access and authorization controls.
- Asset management with vulnerabilities tracked per asset
- Swagger / Postman files
- Vulnerability management per API, with time-to-fix, vulnerability metrics, and more
- The ability schedule new pentests, per asset, with file upload integrated into a secure platform
- Developer accounts, so devs get updates when vulnerabilities become available – so they can roll fixes into sprints
- An assessment according to OWASP API Top Ten