Building a secure API design in a cloud computing environment is a challenging task. In this article, security research expert Dejan Lukan describes a number of things businesses need to remember when developing security APIs.
An application Programming interface (API) is a simple extension of a normally running application to help users interact with it programmatically.
The reasons for using APIs are various, including extracting data from databases, sending and saving data to databases, and pushing tasks into queues, but their primary purpose is to help users interact with applications in an automated manner using programs or scripting programs. When working in a virtual environment with no API support, each step must be manually invoked by the user. If there are thousands of virtual machines in the system, it is conceivable that the consequences of each operation must be performed manually by the user individually on each virtual machine. This process will be slow and tedious, and this is the value of the API being applied to this, that is, they can provide users with automated interaction with the application without performing any manual operations.
In this article, we'll look at how APIs work in a cloud computing environment, including different types, their specific roles, and the best practices for developing security APIs in cloud computing.
Types of APIs
When designing an API, it is important to maintain a certain degree of vision. Whenever a message is sent over a communication channel, the message is properly handled according to a protocol (a rule that a group of senders and receivers already know). In order to maximize the security of the API message through the Internet, we should use a secure protocol. Before the message is sent over the network to the server, the security protocol encrypts the sending data on the client, and when the message is sent, the security protocol decrypts the received message data and performs the next processing on the server side. Here are some protocols that can be used to send messages securely over the Internet, such as HTTPS, POPS, Imaps, Smtps, LDAPS, Xmpps, and so on.
Because the data format used to send a message has no security impact, the data in the message can be expressed in several formats. Typically, the data format for a message is XML, JSON, or HTML (which is the three formats used in the case of Zaproxy), so end users can make a choice when interacting with an application. One of the most important in API applications is that they are extensible and usable for a variety of programming languages. So if the appropriate protocol is used, users can easily use any programming language to write programs that interact with APIs. An appropriate protocol can be implemented with easy interaction with the application, which has been well supported and validated through practical use for many years. A well-known example is the HTTP protocol. Some API types commonly used for Internet Message exchange include rest, SOAP, XML-RPC, and JSON-RPC.
Develop a new API when developing an entirely new application programming interface for cloud computing applications, it is imperative to address the following issues: Identity: A server does not automatically identify users who first use cloud computing services, so it requires identification. Typically, it requires the user to provide a user ID or public key to uniquely identify a user. Unfortunately, the information provided by the user is public, so attackers are often categorized as a specific user, but they will not be able to conclusively prove this.
Validation: To prove a user's identity, the server automatically generates a validation issue. The answer to this validation question is that the user knows only that it can be a password, a key, a token, or something else.
Authorization: Once a user proves his or her identity, a particular application requests access. The application then checks to see if the user is allowed to access the requested resource or perform the requested operation before the user obtains access rights.
Recognition technology
Applications can use a number of techniques to identify and authenticate user identities: Username and password: A pair of user names and passwords can provide user authentication through Basic or Digest authentication. Of the two methods used, the passwords transmitted in the HTTP request are unencrypted, so you can use a secure communication channel such as HTTPS if necessary.
Session: When a username and password are sent to an application, the application responds with a cookie, and the cookie is sent in all subsequent recognition requests.
Certificate: A public or private key infrastructure can be used to authenticate the user. This requires that both the server and the client have a certificate issued by a valid authority to establish the legality of the certificate.
Open Licensing: When one application uses another application that represents the user, OAuth is generally used. For example, an application that has a "share to Twitter" button usually uses OAuth. This method authorizes the application to access the Twitter API without disclosing the application's password.
Custom authentication scheme: You can use a custom authentication scheme to identify and authenticate users through a dedicated protocol. A proprietary protocol is often not a good choice because it is used only in one application. Known protocols are usually better because users are familiar with them and can minimize the time they spend learning. A custom validation scheme should be implemented by a top-level security team because it is a complex and error-prone process.
API Key: The API Key can be used in the user's identity and authentication when the first time the request is sent to the server and the session has not been established before. In short, an API key is the only long token known to an application running on the server side, and the client sends the API key in the API request. The method of API key is better than that of user name password, because the former has higher information entropy, it can protect system from hacker attack and limit leak sensitive information.
Conclusion
These technologies underpin the development of security APIs, especially when developing a custom API or even when using a cloud-computing provider's API.
When choosing a cloud computing services provider (CSP), determine whether it can provide APIs. After that, the API will prove its value in the process of automating the implementation or scripting program. The CSP should have the appropriate documentation and security test results to demonstrate the legality of its API design and security.
Using custom APIs, it is critical to hire a security advisor or penetration tester to test the API on a regular basis, and to test the API before the API is formally entered into the production phase and every time significant code is released. Doing so will help eliminate vulnerabilities that the API is used for malicious attacks that adversely affect the security of your application's users.