GuidesAPI ReferenceAnnouncementsContact

Availability and Threat Protection

Suggest Edits

Availability in this context covers threat protection to minimize API downtime, looks at how threats against exposed APIs can be mitigated using basic design principles and how to apply protection against specific risks and threats.

Availability also covers scaling to meet demand and ensuring the hosting environments are stable etc. These levels of availability are addressed across the hardware and software stacks that support the delivery of APIs. There are no specific standards for availability, but availability is normally addressed under business continuity and disaster recovery standards. These standards recommend a risk assessment approach to define the availability requirements.

As mentioned earlier, there are various types of risk which impact APIs. This includes threats to availability as well as confidentiality and integrity. Many threats can be mitigated through good secure coding practices, using OWASP guidelines, as indicated earlier.

Where the resources being exposed by an API are sensitive i.e. not public data, it is advisable to perform:

  1. Threat assessment – early on in the API development lifecycle
  2. Penetration test – once an API is developed and published (testable)

Below is a table of risk types and some recommended approaches to help mitigate these threats:

ThreatMitigation (OWASP)
Exposure of inappropriate API methods to access servicesProtect and Limit (whitelist) the HTTP Methods (GET, PUT etc) exposed

Validate Method(s) for session token / API key.
Denial Of Service attacksThrottle access to all exposed APIs. Monitor use to indicate possible DoS attacks
Malicious Input, Injection attacks and FuzzingValidate input: Secure parsing and strong typing
Validate incoming content-type application/json
Validate JSON content
Validate XML (schema and format)
Scan attachments
Produce valid HTTP Return Code
Validate response type
Cross-Site Request ForgeryUse tokens with state and nonce parameters
Cross-Site Scripting AttacksValidate Input

API Gateway capabilities can protect against many typical API vulnerabilities and threats. Typically, these relate to:

  1. Throttling to prevent Denial of Service attacks
  2. Message analysis to block HTTP attacks; parameter attacks such as cross-site scripting, SQL injection, command injection and cross-site request forgery
  3. Controlling egress of information via the API, aligned to set access permissions/policies

As well as providing (if required) access control to API functionality.

Updated less than a minute ago