API Gateway Security Best Practices
Using an API gateway helps manage calls to your infrastructure. It provides a central point for handling problems like security and monitoring. Your gateway can also handle scaling and routing issues, and even [translate calls from one form to another].
An API gateway also acts as a guardian, protecting your backend services. It can validate incoming calls and limit their frequency. Without a gateway, your APIs are exposed directly, and vulnerable to malicious actors. However, just using a gateway isn't enough. For example, built-in security does not protect against zero-day attacks and provides only limited protection against exploitation of existing vulnerabilities.
In this article, you will learn more about API gateway security and what you can do to ensure your setup offers the best possible protection, as well as how to defend yourself against different types of attacks.
Why Secure Your API Gateway?
API gateway security is the practice of configuring your gateway to offer the best protection against all known forms of attack. It's an ongoing process, as you need to be alert to emerging threats. Some popular gateway options include Kong, which claims an impressive 446x speed advantage over its competitors. There's also Ambassador which aims to reduce developer time and let you implement best practices easily. Whichever gateway you choose, there are several things you need to do to protect it. The gateway needs to consistently act as the single point of entry for your APIs, and all endpoints need to be encrypted and logged. The gateway also needs to prevent malicious injection of code or tokens and to limit access rates to prevent denial of service attacks. In addition, effective protection against exploiting vulnerabilities including zero days should be added for effective and preemptive prevention of common attack types. Built-in capabilities of API Gateway are usually limited in this regard so that a modern, automatic, integrated security solution like open-appsec should be added. In the next section, you'll take a closer look at these and see how they work.
How Can You Secure Your API Gateway?
There are several steps you should take to secure your API gateway starting with encryption and logging. After you've learned about these, you'll look at a few more advanced techniques. It's important to note that none of these methods will offer you complete security, but in combination, they offer you a high degree of protection against attacks.
Make Sure Endpoints are Secure
If you're reading this, you probably don't need to be told to encrypt your data. However, there are still people out there who ignore this basic step. Encryption is a must, even if it just means using HTTPS to prevent traffic snooping. Without that, anyone sitting next to your users at the local coffee shop can potentially eavesdrop on your traffic. Anyone with access to a router, or any intermediate node that relays your data across the internet, can view all your outgoing and incoming traffic, potentially intercepting personal data or other sensitive information. However, HTTPS isn't a silver bullet, as there are still attacks that can intercept and decode HTTPS traffic. Compromised routers and manipulator in the middle attacks are still possible. Encryption will protect you against the majority of casual snooping, but it isn't perfect.
Enable Logging and Maximize Observability
Monitoring your system as fully as possible is crucial for security. In addition to enabling you to spot minor errors before they become major problems, logs can help you identify malicious actors. The data you store can also be analyzed for problems that might not be detected on a per-transaction basis. For example, someone repeatedly making an unusual call might have discovered an unknown exploit. Centralizing your logs and observability tools is a key advantage of sending your traffic through a gateway. It's relatively simple to send your access logs to a centralized log repository if they're already going through a common point of access.
Access APIs Only Via the API Gateway
Once you've got your gateway in place, you need to make sure it's actually used. That means it should be the exclusive means of accessing your APIs. This narrows your attack surface and shuts down other, undefended points of entry. If you misconfigure a service or leave something out, then it is still exposed to all the threats you're working to block. That could undermine the security of your entire system, so it's essential to check everything is covered. To test that everything is going through the gateway, you need to make sure your monitoring can differentiate between calls that do go through it, and those that originate from a different source. That way you can eliminate the latter, and make sure they're routed properly. This also allows adding an advanced, preemptive machine learning-based security solution like open-appsec at this important transition point.
Use Schema Validation
Attackers can use malicious API calls to gain unauthorized information. They can do this by exploiting bugs in the API itself or flaws in the software that handles requests. If services with elevated access contain flaws, malicious API calls can also make system calls on the API host system, or delete records the caller isn't supposed to have access to. Schema validation at the gateway level ensures that only requests that match documented API calls are allowed, giving you an additional layer of protection. It also lets you detect nonstandard calls, which can help you fix bugs. Not all malformed calls are malicious. open-appsec handles API security using two protection models, which are based on contextual machine learning. The first uses a negative security model.
Here, potentially malicious payloads are detected and forwarded to the second protection model for further analysis. In the second model, contextual analysis is performed to reach a strong confidence level of the payload really being malicious and if that’s the case it gets blocked by the web application firewall (WAF). This also reduces false positives significantly. In addition to the two models, all requests are validated against the predefined API schemas before being delivered to the backend. Only calls that match the Schema are let through. Others are prevented and logged, so you can identify sources of bad calls.
Rate Limiting API Calls
Rate limiting is another important protection method. Many [denial of service attacks] work by overwhelming you with incoming connection attempts, rendering your system inaccessible. Detecting and blocking these requests prevents your services from becoming swamped. As well as costing you bandwidth, malicious calls can cause problems due to memory overuse, excessive CPU execution time, or overwhelmingly large volumes of data being requested from databases. All of these things have to be guarded against. Fortunately, you have several options. Ways to implement rate limiting include the following:
Pagination involves returning a limited set of results. A query that could return millions of results might just return the first hundred. These could be cached too, allowing you to handle further calls without going back to the API. Kong gateway, for example, allows reverse caching, where you configure it to handle repeated requests without calling the underlying services.
Filtering can involve detecting and rejecting spam requests, or even blocking non-essential calls when the server is under pressure. There is some crossover here between other methods discussed elsewhere, such as schema validation and preventing injection attacks.
Time-based constraints are a method of reducing heavy traffic by only allowing a certain number of calls in a specific time period. This can be broken down further, allowing you to limit calls from specific IP addresses or regions, or calls to particular services or physical servers.
Actively Prevent Injection Attacks
Using a dedicated tool to detect attacks adds a further layer of protection on top of what your gateway already provides. Security tools can detect attacks by cross-referencing them against known vulnerabilities. For more thorough protection, some tools use machine learning to detect payloads that don’t precisely match known attacks.
open-appsec uses contextual machine learning to analyze request payloads. It assigns them a score based on various factors, such as similarity to other attacks and the reputation of the request source. If the score is too high, the call is blocked. This technique is very effective at blocking new attacks and lets you avoid false positives that often reduce the appeal of using AI-based systems.
An intrusion prevention system (IPS) can actively seek out malicious activity by looking out for anomalous traffic and bad patterns and detecting common known vulnerabilities.
open-appsec’s IPS can detect over 2,800of these and also allows using custom snort signatures to recognize traffic that you want to allow or block from using your network. An advantage of the snort system is that it allows you to share rules between platforms. That's especially useful as your access rules become more elaborate, or if you need to meet certain security standards for legal or regulatory reasons.
Update Regularly and Effectively
Because new security threats are continually emerging, you need to keep your software up to date. Software vendors are in a constant arms race with hackers. They need to patch the latest vulnerabilities before they become widely exploited.
Make sure you stay on the right side of the battle by updating your software infrastructure and dependencies regularly. You need a system in place for doing this, as updates can sometimes introduce incompatibilities.
A comprehensive patch management strategy is required. However, updating tools immediately when new versions are released isn't always the best method. Sometimes new versions of software introduce flaws of their own, so you have to keep tabs on that. It's helpful to have at least one team member monitoring the news for security issues. open-appsec as an integrated security solution can help prevent attacks exploiting unpatched vulnerabilities as it “virtually patches” many known and unknown vulnerabilities at API gateway level. This closes the vulnerability window and therefore reduces the security risk significantly until the internal services have been fully patched.
Other general principles you can follow to limit attacks are to limit the amount of exposed data, avoid using generic names for undocumented system calls that can potentially be guessed, and make sure to test your entire system thoroughly. Many of the principles used to develop quality software, such as proper documentation, help with the security picture, too. Tidy software has fewer loose ends, works more consistently, and is harder to break into.
API gateway security is essential for protecting your systems and allowing them to interact with the world safely. Getting it right is an important investment that can save you huge headaches further down the line. Gateways can't do everything themselves, though. Best-in-class security tools can help protect them. Techniques such as rate limiting, schema validation, and intruder detection all have a part to play. Options like open-appsec, which provide automatic and preemptive security for API Gateways are available to help. open-appsec will soon be working with popular gateways like Kong and Ambassador, and it has integrations with many other tools (e.g. NGINX). That makes it quick and easy to boost your security and stay one step ahead in the security race.