Major data hacks are unfortunately common occurrences in our modern world. The question we should all be asking ourselves whenever we see this news is, “Are my APIs and data secure?” If you’re asking that question after a hack occurs, you’re too late.
In this article, I will cover common threats and vulnerabilities that hackers often tap into. I will also share how MuleSoft can secure your APIs in today’s world of continuous API attacks.
MuleSoft uses a shared responsibility model. MuleSoft manages, updates, and maintains Anypoint Platform. The platform offers a broad choice of robust security features. Customers are responsible for using them in a way that complies with company security policies and regulatory requirements. MuleSoft alone cannot protect customers from these threats, however. Customers are equally responsible for the way solutions are designed and implemented.
As we think about security, we should consider security factors from the perspective of potential bad actors. How can they misuse our APIs? What do they want out of it? Below are some considerations to keep in mind that hackers often look for:
- Simple authentication or no authentication.
- Minimum or lack of authorization. If a hacker can access a single resource then they can access other resources using the same details.
- System-heavy API calls. This allows your system to be overloaded easily.
- Access to sensitive information like passwords, OTP in logs, API responses.
Now let’s categorize the above into some common threats and check how MuleSoft can enable you to protect yourselves against them.
Five most common API security threats
1. The threat from within: Insider threats
According to Wikipedia, “An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.”
It is more difficult to detect your genuine users performing unwanted dangerous tasks in comparison to external threats. Most of the time, insider threats are unknown, unwanted, and unintentional but they can cause business losses, stability, and trust.
With MuleSoft Access Management capabilities, you can protect your APIs from insider threats. Security starts from the first point when you enter a platform because the first thing that you do to use a service in a secured online platform is log in. When your login is not secure, how can you ensure your APIs are secure enough? MuleSoft provides the following security capabilities:
- Enable multi-factor authentication (MFA) using any of the below multiple verification methods. Today MFA is quite common as passwords are sometimes easy to crack. These passwords provide access to more than one system which makes it even more important to enable stronger authentication.
- Third-party TOTP authenticator app
- Built-in authenticator
- Security key
- Salesforce Authenticator
- Configure identity management using one of the following single sign-on standards. Most of the companies use their standard Identity Access Management (IAM) like SSO with Microsoft, so when their internal employee accounts are created they are authenticated and authorized via IAM. With MuleSoft’s identity management capabilities, you can use your existing IAM and invite your users to the platform easily.
- Open ID connect
- SAML 2.0
- Align APIs with your internal business units to gain more granular control over access to resources. MuleSoft’s Business groups are self-contained resource groups that contain Platform resources such as applications and APIs. Every company has several departments that need access to different APIs, applications, and data and the Business groups feature allows you to govern that access easily. Please note that you can create up to 100 Business groups today.
- Manage user authorization using MuleSoft Teams. With Teams, you can set certain permission to groups and then assign users to these groups. It allows you to control who does what. For example, you can create a support team group that can only view logs but not stop applications. You should always follow the Principle of Least Privilege while setting permission to these groups or assigning uses to the groups.
- Manage user activity logs with the help of Audit Logging. With Audit Logging, any change that is made by a user is logged with all the details including when the user interacted with which system to perform what specific actions. For example, once we noticed that one of the old working non-production applications stopped working and started throwing connectivity errors. We suspected that the downstream system might be down but after checking auditing logs we found that one of the developers, out of curiosity, removed static IP which was being whitelisted by the downstream system. We were able to identify the source of the error and implement the appropriate solutions.
2. Software bugs
A software bug introduces vulnerabilities to APIs, allowing them to easily be exploited for bad actors to gain unauthorized information. To fix such bugs, MuleSoft introduced regular patches. You get monthly runtime patches which are applied over the third weekend in production. These patches are regular updates that do not always include security fixes because security-related bugs are fixed immediately with confidentiality. Read more about MuleSoft maintenance policy here.
MuleSoft is compliant with external audits with different security standards like ISO 27001, FIPS 140-2, SSAE-16 SOC2, PCI DDS level-1, and Hi Trust.
MuleSoft takes the protection of customers’ data very seriously and conducts vulnerability programs to find and fix bugs. Customers can also perform their own security assessment and penetration testing.
3. Injection threats
Injection threats are the most common threats which make up nearly half of all attacks. We must consider the injection threat while designing APIs. With complete support for RAML and OpenAPI, you can easily set input validation to reject any unwanted request that’s trying to exploit your data.
For example, a query parameter defined as a type string can be easily misused when not validated properly. You must think if the query parameter can be defined as an enum when you know the possible values or set a regex to filter any special character instead of only defining the query params as a string.
You can also set custom policies with your existing policies to set a certain level of filtering using a DataWeave expression before allowing the request to reach your backend system.
When you use a database connector, always use parameterized queries or stored procedures. To avoid a SQL injection, you need to either stop writing dynamic queries or prevent user-supplied input which contains malicious SQL from affecting the logic of the executed query.
4. User identity threats
Protecting user identity is an important part of our user experience journey. A user identity threat can cause havoc on business trust and capability. Although there are certain types of user identity threats like phishing that require individuals to be educated and protected, there are also certain areas where API management must protect user identity at a systemic level. An example of this is the MuleSoft EU control plane which enables businesses in the EU to handle and protect customer data under GDPR compliance.
To protect against these threats, MuleSoft allows you to integrate API policies like JWT token validation, OAuth2.0 access like Mule Oauth provider, Open AM OAuth2.0, OpenId Connect, PingFederate OAuth token enforcement, and more via client management in Anypoint Platform.
On top of these policies, RTF customers must use tokenization to protect sensitive information under Anypoint security. You must mask sensitive information using DataWeave. For example, if you call a backend system where you get a lot of information in a JSON response including some sensitive data, always mask such sensitive information before logging or sending it to the API client.
5. Service availability threats
MuleSoft’s HA and DR setup having multiple workers in three availability zones gives you high availability against disaster recovery. With MuleSoft CloudHub auto-scaling, you can scale your workers horizontally and vertically with certain custom conditions.
Attacks like DOS, DDOS can impact your service availability so it is very important for us to be well prepared for such attacks. You must apply SLA tiers and policies like rate limiting, caching, and throttling to protect APIs but always remember that against DDOS attacks, we also need to protect our business logic from exploitation. This can happen when an API resource provides all the details in one API call instead of applying pagination. When you respond with millions of records in a single API call, you can overload your system and bad actors know it by looking at the response size. If they can get into that one resource then they will call it again and again until your system is down. It is worth thinking about such business logic which can exploit your system. On top of these policies, RTF customers must use Edge policies like DOS policy or WAF.
Bonus tips
With these threats and solutions in mind, there are a few other tips I want to mention to keep in mind when securing your APIs.
- Use API-led approach as it enables you to follow security and data governance best practices.
- Always use HTTPs.
- Monitor your resources and set alerts for proactive monitoring.
- Use cryptography modules like PGP, XML, JCE.
- Never send or receive encryption keys in API requests and responses.
- Encrypt all your sensitive properties in the application.
- Mask all your runtime properties using artifact.json under the secureProperties key.
Though these are small reminders, they can make all the difference in API security for your customers and your business.
Conclusion
MuleSoft’s API management capabilities are already proven as it is continuously the 6th time that Gartner named MuleSoft a leader in Magic Quadrant for Full Life Cycle API Management. Security is a shared responsibility where MuleSoft has already placed all features in a single unified platform for you. To learn more about our product offerings, you can start product training and ask questions at our MuleSoft Help Center.