Consider data protection, information security and access rights

Any personal data processed through an API must be protected, and their processing must be documented in the same way as in other information systems.

When designing an API, you must draw up a privacy statement to be published together with the API. Personal data, including e-mail and IP addresses, are often collected when using APIs, as a result of which a personal data file builds up. Personal data may need to be collected for such purposes as tracking API key use.

It is a good idea to base the protection of an API on a risk assessment. The risk assessment should examine the data and functionalities processed by the API.

The three most common ways to attack an API are:

1. Distributed Denial of Service (DDoS)
2. SQL injection
3. misuse of operating logic.

An API connected to the Internet can be both disrupted and loaded by such means as bot-generated traffic or a denial of service attack.

1. Confidentiality: The API and its data are protected, ensuring that only authorised users have access to it.
2. Data integrity: The data remains unchanged when passing through the API. This means that the data remain the same between the sender and the recipient, without being changed on the way.
3. Availability: API data are easily and quickly accessible to those who have the right to access them.
4. Non-repudiation: The use of the API leaves a trace in the log. Log entries show who has done what and when.
5. Authentication: The parties to the API (publisher and user) verify their identities. This means checking that both parties are who they claim to be.
6. Access control: Access to the API is controlled and restricted, ensuring that it can only be accessed by authorised persons. This secures the confidentiality and integrity of data by preventing unauthorised access.

Even if the API were designed and intended for internal use only, it can also be accessed from the outside if the organisation’s internal network can be breached somehow. Thinking through this risk scenario is important.

You must give the management of access rights and authorisations careful thought. For example, what happens when a software developer moves on to a new job?

Read more: OWASP API Security Project | OWASP FoundationOpens in a new window..

A significant part of Internet traffic is produced by bots. Bots can be blocked and the load generated by them reduced by using blocklists and filtering unwanted bot traffic. This is particularly important in the case of APIs intended for external use.

Denial of service (DDoS) attacks may target APIs released for external use, which is why protecting against them is essential. An API Gateway solution can help manage network traffic and block undesirable traffic. The Gateway can also be used to prioritise and filter traffic to prevent bot traffic and denial of service attacks.

It is important to consider the following in API security:

1. Protection against denial of service attacks and bots.
2. Careful access control.
3. Using an API Gateway for traffic management, including load regulation and logging.