Programmazione Sicurezza

API Security

Network growing need for a more secure network, and that need is growing infinitely right now. Lots of data have been passed over the WEB, and some of them are extremely sensitive.


Once a week we can ear about a company getting hacked, thousand of sensitive data exposed, a risk to the reputation of the company.

API are an integral business strategy across industries and doesn’t appear to slow down. Each API is different, and it is difficult to prevent all vulnerabilities. As you can simply understand, an API used to gather information doesn’t need the same precaution requested for an API that’s sending a sensitive medical data across the network. And so? The answer is worst-case scenario.

First of all, we want to ensure that you authenticate the web server before any info has been transferred. Authentication and authorization are used together but are not the same thing:

  • We use Authentication to truly determine the identity of an end-user; we can use username and a password, certificates, hardware keys, etc
  • Authorization control access and determinate what resources or data the identified user has access to.

Many attacks might happen, many methods and targets, so let’s see vulnerabilities by target area:

  • Network (DDOS)
  • Operating System and Driver
  • Application layer (Session hijacking)
  • API (injection attacks, incomplete access control)

And now a check-list to implement a secure API:

  • Use Encryption to hide the information from those who may not view it.
  • Use SSL to encrypt the http message.
  • Signatures are used to ensure that API requests, or responses, haven’t been hacked within transit.
  • The API Gateway is a core piece of the infrastructure that enforces API security
  • Create Quotas; with quotas request we protect API from change behaviour activities (If a user calls the API once a minute, it is difficult that you will receive thousand requests per second)
  • Use a sniffer to analyze the call home traffic
  • Add some security scans to new or existing functional tests.