Guide to Basic API Security Best Practices

Guide to Basic API Security Best Practices

An application programming interface (API) is an existing block of code that facilitates communication between software without the need to rewrite code. The goal is to support data transfers between your system and external users, which is why API usage continues to increase.

Developers use APIs to integrate information from outside sources into their applications and gain access to a large repository of resources and data, simplifying the coding process. Users also benefit as APIs help make building interactive applications easier. 

But a poorly maintained and insecure API becomes an easy access point to sensitive data for bad actors. In this post, we’ll discuss the ins and outs of API security best practices and how to secure your API. 

Why is API security important?

APIs play a key role in web and mobile app development since businesses rely on them to connect services and transfer data. But APIs present unique challenges while sitting between third-party developers and a company’s resources, which can lead to a data breach. 

API security breaches not only harm a businesses’ reputation but can cause severe financial impact (e.g., exposing the data of its customers and clients can result in lost revenue, distrust, and even stolen identity). So it’s crucial for businesses to learn how to secure an API to prevent losing customer trust. 

That’s where Twilio comes in with a continuous software delivery model and change management process that ensures a secure development lifecycle throughout design, development, and deployment. 

Common API security risks 

Highly targeted because of larger attack surfaces than user interfaces, APIs are perhaps even more of a security risk than email (see the Federal Bureau of Investigation’s Internet Crime Report).

So what makes APIs such a target? APIs give access to data and resources, exposing them to the internet. That data can be extremely valuable to a hacker and generally goes beyond what bad actors can find elsewhere.

Even though system hardening, access control, load balancers, and web application firewalls may be in place, negligence and human errors make an API attack surface more susceptible.

Here are some of the most common attacks used against APIs:

• Cross-site scripting (XSS) attacks: Inserting a malicious script into the web application code (client side)
• Injection attacks: Inserting malicious code into a program where user input is expected (server side)
• Distributed denial-of-service (DDOS) attacks: Flooding systems or applications with high volumes of traffic to make them unavailable
• Man-in-the-middle (MITM) attacks: Intercepting traffic between 2 entities to impersonate them or collect information
• Credential stuffing attacks: Stealing credentials and using them to log into API endpoints

API security best practices

Consider Twilio’s API security best practices when designing and creating APIs. By following these guidelines, you can reduce the risks associated with maintaining your API. 

1. Get back to the basics

Security isn’t always about having the latest and greatest tools. Robust security relies on solid foundations tied to the implementation of layered security and follows industry guidelines and best practices.

That said, ensure you only enable protocols, services, and features you need, with the least privileges necessary and need-to-know principles applied across all layers. In other words, align with the checklist below:

• Follow a secure development lifecycle to minimize bugs in your code and APIs to make it secure by design
• Ensure a secure configuration of your infrastructure elements according to industry standards
• Apply the least privilege principle at all levels, including services
• Maintain an inventory of your APIs
• Validate inputs to ensure these meet requirements
• Sanitize user supplied information to avoid any misinterpretations
• Enforce strong API authentication and authorization by using OAuth
• Encrypt your traffic using robust encryption
• Avoid oversharing information and control access to your data
• Segment your network traffic and implement firewalls

2. Control the flow 

Controlling the flow of information coming your way is vital and one of the keys to your APIs’ scalability. It also allows you to:

• Limit payloads size
• Apply rate limiting

3. Keep an eye on it 

Monitoring your APIs’ performance, availability, and changes is crucial when building large-scale modular systems, such as security monitoring. That includes being aware of any integrations, vulnerabilities, compromises, and activities. Here are some examples of event types to monitor:

• Account compromise
• API activities
• New APIs your company created or started to use

How to use Twilio APIs securely

Now, let’s discuss best practices for using your Twilio APIs securely.

1. Secure your Twilio account 

The first step in mastering API security best practices is securing your account to protect your data and prevent fraud. Here’s a checklist to help you secure your Twilio account:

• Use strong and unique passwords
• Use multifactor authentication (MFA)
• Use single sign-on (SSO) whenever possible
• Secure your authentication tokens:
• • Store tokens in secure locations and control access to them
  • Don’t hard code tokens in applications
  • Don’t push tokens to public repositories
  • Use time-based access tokens
  • Change your authentication tokens periodically
  • Be careful with temporary access tokens, use MFA, and assign an expiration to the tokens
• Control subaccount permissions
• Protect your API keys
• • Don’t leave your API keys in the source code or applications
  • Store your APIs securely using environment variables
• Use secure networks when connecting to the Twilio Console
• Limit the number of IP addresses allowed to access your Twilio Console by using IP access management

2. Harden your applications

Another API security best practice is to follow a secure development lifecycle where you develop your applications according to security standards. This will help you reduce the attack surface of your application and deliver trustworthy products. Here’s a list of actions you can take to protect your application from intrusions:

• Follow standards and frameworks when developing your application, such as NIST SSDF
• Harden your system following industry baselines, such as the CIS Benchmarks
  • Use current systems, applications, and software development kids (SDKs)
• Disable unnecessary features on your application:
  • Disable dialing permissions 
    • Implement controls in your application/network to prevent POSTs to our /calls or /participants
    • Disable outbound SMS or calls when not needed with one of 2 options:
• Implement geographic permissions for calls and SMS 
• Use triggers that help identify abnormal and risky behaviors
• Limit the scope of your API keys 
  • Don’t make your API keys highly privileged to avoid providing access to all your accounts if compromised
• Use Twilio’s Public Key Client Validation (PKCV) to avoid relying on shared secrets, validating senders, and verifying message content

3. Validate incoming Twilio requests 

With just a few lines of code, you can easily write a custom filter that uses the Twilio SDK’s validator utility. This will secure your application by validating incoming requests.

4. Monitor your resources

Gain visibility into your Twilio applications and use our Monitor API to retrieve your event log and feed it to your centralized log management solution. By default, it includes all events, but you can filter by event date or any other field. You can also:

• Create alerts and event notifications to help you facilitate troubleshooting or an investigation
• Use the audit insights reports in the Twilio Console

Learn more about passwordless account security from Twilio

Following API security best practices and securing your code by design is key to avoid costing more time and money. Another way to secure your account is by using passwordless authentication with Twilio Verify. 

This authentication method doesn’t require a password or any other knowledge-based secret to log a user into a system. Instead, users are authorized when they receive a unique, one-time code or magic link to their email, push notification, or text message. 

Dive deeper with more API security-related resources 

Doing your due diligence to protect your APIs and securely use and deploy Twilio resources is a great first step in securing your Twilio application. Next, we recommend reading over our security documentation for more advice on protecting your app and the Anti-Fraud Developer’s Guide. Finally, we also suggest reviewing Twilio’s security white paper covering how we deliver our trusted Customer Engagement Platform.

• Learn how to store your Twilio credentials securely
• Secure your application by validating webhook signatures with Python and Flask
• Find out how to block or disable inbound calls
• Implement PKCV

Seif Hateb is a father, martial artist, and security professional working as a Principal Security Engineer at Twilio. He has 12+ years of security experience with success in guiding the design, testing, and implementation of leading-edge technology solutions while balancing security initiatives to risks, business operations, and innovations.

His specialties include security architecture, cryptography, data protection, system hardening, security assessment, auditing, vulnerability management, business continuity planning with extensive experience in the telecommunications and healthcare industries. Find him on LinkedIn and Twitter.