API Security Principles

Since APIs are the primary channels through which participants will communicate with one another, it is therefore very important to set out basic security guidelines that all will adhere to.

The following are key principles that should be applied when designing APIs:

1. Design with the objective that the API will eventually be accessible from the public internet, even if there are no plans to do so at the moment
2. Use a common authentication and authorization pattern, preferably based on existing security components: avoid creating a bespoke solution for each API
3. Least Privilege - Access and authorization should be assigned to API consumers based on the minimal amount of access they need to carry out the functions required
4. Maximise entropy (randomness) of security credentials by using API Keys rather than username and passwords for API authorization, as API Keys provide an attack surface that is more challenging for potential attackers
5. Balance performance with security with reference to key lifetimes and encryption/decryption overheads
6. Standard secure coding practices are always recommended (see OWASP Secure Coding Principles)
7. It is also recommended that a security testing capability is incorporated into the development cycle which provides continuous, repeatable and automated tests to find security vulnerabilities in APIs and web applications during development and testing.