Application Programming Interface (API)

---

Application programming interface (API) is methods exposed by a script or program that allow other scripts or programs to use it.

• is a set of functions and procedures that allow two or more applications to communicate with each other
• API defines:
  • the types of calls or requests that can be made
  • how to make them
  • the data formats that should be used
  • and the conventions to follow
• provide extension mechanisms so that software can extend its existing functionality
  • e.g.,
    • SOAR platform needs to analyze a URL against the VirusTotal database
    • SOAR can submit the URL via VirusTotal’s API to receive information regarding its status or trustworthiness

API Keys

API keys are unique identifiers used for authentication and authorization to an API.

• may be associated with privileges or resource restrictions
• breaches can allow unauthorized third parties to gain access to API

Types of APIs

RESTful API

Representational State Transfer (REST) is a software approach designed to scale the capabilities of web-based applications.

• based on guidelines and best practices for creating scalable web applications
• characteristics:
  • low processing/traffic overhead (lightweight)
  • uses simple URLs/URIs
  • Not reliant on a single programming language
  • Scalable
  • offers output in multiple formats (XML, JSON, etc.)
  • Uses HTTP verbs
    • POST to create an object
    • GET to read data
    • PUT to update or replace data
    • PATCH to update or modify an object
    • DELETE to delete and object
  • Efficient
    • smaller messages than alternatives
• Best situations for REST:
  • bandwidth is limited
  • stateless operations are used
  • caching is needed

SOAP API

Simple Object Access Protocol (SOAP) is a protocol specification providing for the exchange of structured information or data in web services.

• works over other protocols
  • e.g., SMTP, FTP, HTTP
• Characteristics:
  • Standards based
  • Reliant on XML
  • Highly intolerant of errors
  • Slower
  • Built-in error handling
• Best situations for SOAP:
  • well suited to asynchronous processing
  • format contracts
  • stateful operations

API Service Models

• Public APIs
  • provided to anyone outside the organization
  • allow for integration by third parties
  • often licensed or have pay-per-use model
  • need to be secured against misuse and overuse
• Partner APIs
  • provided to business partners
  • used as part of shared business processes
  • exposed to outside the organization,
    • require additional security and monitoring
• Private/Internal APIs
  • used for internal uses
  • not made available to third parties
  • often exposed via an internal API directory
  • can leverage internal authentication and authorization capabilities

Security

• Regardless of format, APIs grant access to application and data
• can lead to data leakage or other issues if not properly secured
• should validate the security of APIs

Threats to APIs

• Common API threats:
  • Injection attacks
  • DoS attacks
  • Poorly secured API servers or services
  • On-path attacks
  • Credential attacks
    • stolen credentials
    • accidental API key exposures
    • brute force attacks
  • Poor API generation techniques

API Security Best Practices

• Implement authentication and authorization
  • using API keys
• validate all requests
• encrypt both requests and responses
• use logging and throttling
  • to document use and prevent overuse or misuse
• conduct regular security tests
• maintain an API inventory or catalog
• only send information that is required in an API request
• API key security
  • avoid API keys in code or code repositories
  • restrict their use
  • delete unneeded API keys
  • regenerate keys so long-lived keys aren’t useful to malicious actors that acquire them
• Protecting RESTful APIs: OWASP REST Security Cheatsheet
• For third party APIs:
  • audit trials and properly handling API keys