The development of resilient and secure APIs is a requirement for many enterprises. APIs are a core element of many software architectures (e.g., service-oriented, client-server) and enable enterprises to construct applications that are leveraged by various clients (e.g., web, mobile) and partner services (both internal and third-party). Because APIs offer a means to access and manipulate data managed by the application, a paramount requirement is that the APIs be developed so that the data is protected and accessible to only those clients with sufficient privileges.
- Enterprises can save costs by adopting an API development methodology with proactive software quality that leads to inherently secure APIs.
- Security requires collaboration among developers and security teams, starting from the design through implementation.
- Use API definition and authorization policy that all stakeholders review as an explicit contract that must be validated by testing the API implementation.
Proactive Quality for Business Resiliency and Cost Savings
Development teams are often hyper-focused on feature development to increase business value. This can be reflected in testing activities that are overweight in validating the functionality (happy path testing) but deficient in checking negative test cases and edge cases that lead to security vulnerabilities. Defects released in a product have high costs to an enterprise - up to 100x greater cost than defects fixed before release. When a developer must prioritize fixing a defect found in a production release, it takes away valuable time that developer would have used for feature development that adds value to the enterprise. Additional costs include company and product reputation, customer dissatisfaction, increased customer support costs, CVE publication, and damage control.
To avoid low-quality software, enterprises must transition from reacting to security attacks and customer-reported defects to an increased emphasis on proactive testing. This is not achieved by assigning more engineers to write and perform more test cases. There are far too many possible test cases to feasibly author and maintain. Instead, enterprises must leverage autonomous test tools that generate test cases based on the application's expected behavior.
The development of a secure API can be divided into multiple activities. These activities are repeated for each functionality added to an API. In an iterative development methodology, completing a single change or feature addition to an API requires completing each activity.
The design activities - API definition and security policy definition - are crucial to benefiting from new AI-based tools that assist development teams in achieving high software quality. The output of these activities specifies the expectations that next-generation testing tools must verify.
By validating the application's behavior at each stage of development and in each environment using automated processes, stakeholders can confidently release secure APIs at high velocity.
- Define API resources, actions, and data schemas
- Define authentication and authorization policy
- Implement API
- Test API continuously
- Security is everyone’s responsibility
Define API resources, actions, and data schemas
Produce an API definition that is a contract between the client and server
The first step in API development is defining what kind of data is accessed or manipulated. It is critical to define the API as completely as possible, as this acts as the contract between a client and the API. Depending on the API technology chosen for an application, there are languages a team can use to define an API in a structured manner, such as OpenAPI (formerly Swagger), GraphQL, and gRPC. A structured API definition facilitates the easier (and automated) generation of the API documentation and client-side (and server-side) code. In turn, this allows development teams to scale by reducing time spent supporting users of the API and for enterprises to leverage the API for business success. Security teams benefit by having an API definition that can be tracked as part of asset management.
- Decide on the API technology that will be used
- Define the resources (stateful data types), actions, and data schemas the API will provide.
- Write the API definition (API-first approach) or generate the API definition from code (code-first approach).
- Peer review by product owners and developers to ensure the API meets functional requirements and style guidelines.
Define Authentication and Authorization policy
Produce an authentication and authorization policy that all stakeholders can review
Every API must have a way to protect the data it exposes. A team should define a data access policy considering how a client will authenticate, what data a client is authorized to create, read, update, and delete, and how frequently a client may perform such actions. Product owners should be involved in defining the roles or attributes relevant to the authorization policy.
There can be cases in which the properties of the data itself have security implications. For example, a user may be permitted to change their password, but the value of the password must pass certain criteria for password strength. As another example, a user may be permitted to share a resource with another user, but that user must be a member of the same organization as the user granting access. Such examples illustrate how certain business logic rules are motivated by security requirements.
A clearly expressed security policy is provided for review by all stakeholders (product owners, development team, and security team). Further, the security policy is also used to validate the behavior of the API implementation.
Implement the API
Create a working implementation of the API using best practices.
Developers implement an API by writing code to handle and respond to client requests, often using some framework for API development. The code must fulfill the contract of the API definition.
In addition, developers must satisfy all security requirements identified in the feature design. Developers should follow secure coding best practices to avoid security vulnerabilities.
- Utilize frameworks and technology as prescribed by the organization.
- Satisfy the security requirements of the organization.
- Use secure coding best practices when implementing APIs. Developers should pay attention to the most common oversights: proper access control checks, input validation and sanitization, and mass assignment.
There are technology-specific guidelines for developers, such as:
Test the API continuously
Ensure API quality (functionality, performance, security) is maintained over time
Testing is necessary to ensure that an application must meet requirements. The API definition and security policy produced by the design activities specify the expected behavior that must be validated. Any change to the API definition, the security policy, the application implementation, or the application configuration can cause a discrepancy between the actual behavior of the API. API Testing should be performed at each stage of software production.
Initially, developers may test locally and as part of automated CI/CD jobs. Then, as an application is promoted to a new environment, testing should also be performed to ensure that any configuration in the environment does not cause an API to behave differently than expected.
Types of testing that should be performed include:
- Validate the business logic with functional test cases.
- Ensure that the requests and responses of the API implementation conform to the API definition. This is critical because the API definition is the contract upon which other developers and applications depend.
- Identify which API operations transmit sensitive information to inform security posture.
- Validate any data access policies. Access control is the #1 security risk for APIs that leads to data breaches.
- Verify secure coding practices have been followed by testing for common vulnerabilities, such as improper input validation (e.g., injection attacks), and mass assignment.
- Measure the performance of the API under concurrent client load.
- Validate any rate-limit policies.
Secure API Development Methodology - Cheat Sheet
Build Secure APIs using an easy to follow development methodology
Security is everyone's responsibility
Achieve both feature velocity and API security
While the activities above may appear tailored toward development teams, who are chiefly responsible for delivering high-quality and secure software, software development is a collaborative process among multiple stakeholders: product owners, quality assurance, operations, and security.
To develop secure APIs, organizations need to ensure efficient collaboration between development and security teams. In many cases, software engineers can outnumber security engineers by orders of magnitude (e.g., 10:1, 100:1). Since developers are not always security experts, security teams need to assist development teams in ways that can scale.
Effective development processes and proper tooling can ensure that security teams have oversight and involvement without introducing impediments to software development velocity.
Security teams can participate in creating and reviewing an appropriate security policy for an API. Using tools for security testing can automate the validation of the security policy. These tools can be operated primarily by development teams, with guidance and oversight from the security team.