How OAuth API keys reduce API security threats
Subra Kumaraswamy, Chief Security architect of the API aggregation platform Apigee, discussed with us the best practices for API security.
With the cracked API version, we have more methods to prevent API security vulnerabilities. Unfortunately, hackers can easily destroy APIS by using several simple attack methods. Subra Kumaraswamy is the chief Security architect of Apigee, a supplier of API management systems, and a collaborator of Cloud Security and Privacy (an article from o'reilly media. He said that in response to hacker attacks, developers had to adopt multiple methods to ensure API security.
As one of the founders of Cloud Security Alliance, Kumaraswamy believes that developers must add appropriate Security tools, such as speed limits and Security token management, to the API Management Console. Instead of creating a protection solution for each type of application, Kumaraswamy recommends that developers use API gateway for subsequent work and support global policy implementation.
In this interview, Kumaraswamy gave us several suggestions on creating strong API security, including using OAuth, providing API keys, authentication mechanisms, and aws api security.
What is the status of the OAuth framework during API creation? Is this method still feasible?
Subra Kumaraswamy: During API security construction, the OAuth [Open Authorization] framework is a very familiar Authorization framework. OAuth2.0 attaches great importance to the simplicity of client development while providing specific authorization functions to Web applications, desktop applications, mobile applications, and Iot. However, we need to note that OAuth is a delegated authorization protocol, rather than a real authorization protocol. Therefore, OpenID Connect, which goes beyond the OAuth standard, is listed as an optional solution for developers. In addition to granting applications access to protected user representative resources, these developers also want to programmatically verify user identities.
How can I select and use the most appropriate authentication method to log on to the local application when the API knows which client sends the request?
Kumaraswamy: After the terminal customer authentication function is added to the local application, the developer application uses the three-legged stream OAuth2.0. In this model, taking the previous successful user authentication as an example, the authorization server of the local application contains a short-term access token and a long-term refresh token. The access token provides the API service with access to protected resources. Using the refresh token updates the short-term access token. This method can reduce logon conflicts and maintain continuous interaction between users and mobile applications. In case of token leakage, developers can use the relief valve to easily undo the access token and refresh the token.
What common errors do developers make when providing API keys? How can we avoid these errors?
Kumaraswamy: Before Accessing Protected Resources, the API key must be verified by the API gateway. A common error is that, when providing a key, the platform will be given a privilege not required to operate some applications, which conflicts with the API. For example, if you expose API Payment Verification to software developers, the API key should be used only for payment verification, and should not be granted the privilege to modify the payment details.
Another common error is that the API can be accessed without limit when the key has no quota. This can cause denial-of-service attacks and collect important data through automated robots. Using hashes and random factors to protect API key certificates is a standard practice, such as SHA-256 or another higher version.
What problems should developers pay attention to when creating API security?
Kumaraswamy: developers should start with an API threat model and try to understand the operating principles of threats, such as internal APIs and external APIs, based on the application model. They must be aware that some factors threaten API users, such as trusted developers, self-registered developers, and their partners. After understanding this information, API designers and developers must establish appropriate security measures to respond to various threats.
For example, we can see that untrusted developers in the API threat model can see some sensitive data through the network. No matter whether sensitive data in the transport layer is in the transport or static state, developers must use encryption technology to implement protection.
Developers should ensure the security of standard applications to the optimal state, for example, by using dynamic and static encoding analysis tools to test whether the API has the standard OWASP Top 10 defect. Finally, developers should record API activities in a secure location and regularly review any abnormal behaviors, such as API profiteering cracking attacks.
What are the security advantages and disadvantages of AWS APIs?
Kumaraswamy: aws api and certification mechanism are unique to Amazon and play a certain role in managing AWS infrastructure as a service resource. The signature-based request model (HMAC, a signature-based authentication model, is a hash-based message Verification Code) can also protect AWS APIs. HMAC combines the hash function with the symmetric key shared between the customer and AWS. AWS customers sign each API request based on request information (such as AWS services, scopes, activities and time stamps) and AWS private keys shared between developers. Aws api security mechanisms verify user identities and provide complete protection for REST calls, while preventing further attacks. In some way, AWS's authentication mechanism is similar to OAuth.