Creating APIs for your SaaS products provides invaluable benefits to your customers, allowing developers to plug into your resources and bring their products to market more quickly and efficiently than ever before. An API also allows you to integrate easily with other SaaS organizations, expanding your range of functionality to offer customers new features, increase your inherent value as a provider, and gain a competitive edge in the marketplace.
As with most beneficial technology, however, APIs are not without their risks. Exposing your APIs can leave you vulnerable to theft of API keys, a fairly easy way for cybercriminals to carry out denial of service attacks if you haven’t implemented the right security measures. These attacks overwhelm your server with data requests, crippling the availability of your product, and even costing you money, should the attackers demand a ransom.
At Threat Stack, we recently released Version 2 of our REST API, which serves as a way for customers to connect to our organization and extract critical information around security concerns in their environments. With Version 2, we have incorporated updates to meet industry best practices and to better protect ourselves and our customers’ data. Drawing on this experience, we have outlined below the ways in which you as a SaaS company can better manage security for your own APIs.
1. Authenticate Users
At the most basic level, you need to know who is using your API in order to protect it from outsiders. Therefore, it’s necessary to register users by providing them with API keys. Enforcing simple authentication by assigning API keys allows you to limit usage of your API to your customers, track that usage, and identify who is making what request.
2. Encrypt API Keys
Despite today’s use of API keys to authenticate users, the technology was not originally meant as a way to authorize access to data. Problems creep in, therefore, when developers don’t treat API keys as the critical assets that they are.
While encryption over HTTPS is a step in the right direction, it simply doesn’t go far enough to protect you from man-in-the-middle attacks. Strong encryption is especially vital for SaaS organizations that collect customer information in order to prevent critical data from falling into the wrong hands.
For this reason, we chose to add an HTTP authentication scheme to Version 2 of our API. The Hawk authentication protocol implements hash message authentication code (HMAC) signing based on the API key provided. With Hawk, users provide their assigned user ID, organization ID and API key when requesting data. We never transmit the API key over the network itself in the clear; it is included in the HMAC instead. Therefore, if a man-in-the-middle attack succeeds in obtaining a user’s two unique IDs, Hawk manages to keep the API key hidden.
Takeaway: Deploy strong encryption for all API keys. We recommend HMAC tools like Hawk.
3. Enforce Authorization
While API keys work to identify a user, they can also be used to apply varying levels of permission to different users. Just as you may gate off content on your website, making it available only to administrator accounts, so too should you gate off certain APIs and carefully authorize the actions allowed therein.
Just think of the consequences of making all APIs available to every user: Not only would sensitive customer data be available to any registered user, but it would be possible for a user to make a malicious DELETE request on another user’s data. Enforcing authorization enables you to make particular APIs available only to particular API keys and to approve or deny requests based on those keys.
While Hawk provides us with the tools to enact authorization, OAuth 2.0 is perhaps the best known authorization protocol.
4. Deploy Rate Limiting
An unusual number of requests from a user in a designated time frame can indicate malicious activity in the form of a denial of service attack, so it’s important to recognize when such anomalous behavior occurs and to stop it in its tracks. In the instance that an attacker manages to bypass your encrypted authentication and authorization protocols (it’s possible!), rate limiting can prevent your API from being overwhelmed.
Threat Stack performs rate limiting both by organization and by IP address. If an organization makes more than 200 requests per minute, the user will receive an HTTP 429 error message and will only be able to make another request after a minute lapses. If the number of requests from an IP address exceeds 1,000 per minute, that address will be locked for 15 minutes. This rate-limiting functionality is provided by custom code built into our API that looks for unusual customer requests.
Takeaway: Limit data requests by organization and IP addresses to head off anomalous behavior.
5. Build Security in Layers
While not essential, adding an extra level of security through an outer firewall is a great addition if you can afford it.
Our API, for instance, goes through Cloudflare, which filters out known bad requests. Cloudflare can detect potential signifiers of malicious behavior, such as bad IP ranges or older versions of PLS, and can then deny connections to our servers based on this information.
Weighing the Challenges and Benefits of APIs
Throughout the industry, attackers are becoming ever more sophisticated. The security upgrades we have made to our API have helped us thwart these attackers and meet the needs of our evolving customer base.
While APIs certainly come with their share of risks, there’s no doubt that they drive innovation while providing SaaS companies with the opportunity to attract business, enter new market channels, and increase revenue. Following the proper protocols and industry best practices allows you to take advantage of the many benefits APIs provide while maintaining the strong security posture of a successful SaaS organization.