- API Penetration Testing

10 Cybersecurity Applications for API Gateways

We researched how companies apply API Gateways to protect their API endpoints and assets and here's what we discovered from 10 CTOs, CEOs and Engineers from the US, Canada and Germany:
1. APIs are the digital connectors that enable businesses to communicate with the rest of the world. Unfortunately, malicious users may gain access to backend systems by inserting unintended commands or expressions that can be used to drop, delete, upgrade, or even generate arbitrary data that APIs can access.

Drupal, for example, disclosed a SQL injection vulnerability in October 2014, giving attackers access to databases, code, and file folders. Because of the severity of the assault, attackers could have copied all data from clients' websites. There are many forms of injection risks, but SQL Injection, RegExInjection, and XML Injection are the most common. We've seen APIs go live without threat security on many occasions, and it's not unusual.
Eric McGee
TRG Datacenters, Senior Network Engineer
Our second guest Jason highlighted the most mentioned API Security control - rate limiting:
2. API providers can restrict the rate of consumption for all API users by requiring authentication for all API users and logging all API calls made. Many API gateways allow you to limit the number of API calls that can be made for a single API resource, based on the second, minute, day, or other similar restriction.
Jason Mitchell
Smart Billions, CTO
API Input Validation control follows rate limiting:
3. Input Validations
Taking advantage of weak input validations, allowing a hacker to discover device flaws. An attacker can explore what is accepted or refused and force what is possible using existing inputs before they find a way into an API and compromise the system's integrity.

The most popular input validations are listed below.
Message Size: It's a good thing that message sizes are restricted. Why not filter out large messages if you know for a fact that you will not receive them (for example, messages larger than 2MB)?

SQL Injection: SQL injection security helps you to prevent SQL injection attacks by blocking requests that can result in a SQL injection attack.

JSON Threat Protection: Content-level attacks are possible with JavaScript Object Notation (JSON). Such attacks try to overload the parser with large JSON files, causing the service to crash.

XML Threat Protection: To overload the parser and eventually crash the service, malicious attacks on XML applications usually use huge, recursive payloads, XPath/XSLT or SQL injections, and CData.
Steve Scott
Spreadsheet Planet, CTO
Message encryption and strong authentication & authorisation mechanisms are also mentioned by our guests:
4. API Gateway can implement message encryption between internal services, making internal services more secure and encrypting messages sent back and forth between services.

Even if transport layer encryption (TLS) is used, ignoring proper authentication may cause problems. Anyone may get personal email addresses and device identification data using a valid mobile number in an API request, for example. Strong authentication and authorization mechanisms such as OAuth/OpenIDConnect, in combination with TLS, are essential.
Veronica Miller
VPN Overview, Cybersecurity Expert
Our fifth guest Brian extended API Gateway even to broader set of security controls:
5. The Gateway implements API firewalling, content validation, and message integrity tests to ensure that an entity receives only legitimate messages. API Firewalling contributes to the mitigation of application-level risks such as cross-site scripting, SQL injection, command injection, and cross-site request forgery.
Brian Chung
Alabaster, CEO & Co-Founder
And here we switch to Chief Financial Officer's perspective:
6. The Gateway includes a transformation layer that can modify all aspects of an incoming request, including the protocol, payloads, and headers, as well as the security tokens. The Gateway may either convert the payload's contents to an internal format (e.g., JSON to XML/SOAP) or change the payload's headers. Security tokens and statements may be introduced into messages as they flow internally, allowing for the internal availability of information decided at the edge.
Chana Charach, CFO
Our next guest Tanya described broader use of API gateway as kind of single panel of glass for APIs:
7. Since the Gateway monitors all inbound traffic, it is possible to record anything, which enables the application of visibility, monitoring, and analytics services. The Gateway is capable of informing an entity about the status of established and regulated APIs, as well as traffic that is currently ungoverned.
Tanya Zhang
Nimble Made, Co-Founder
That we switch to technical guidance and an outlook how to use API Gateway to hide structure of back-end code:
8. Many API developers have become accustomed to using 200 for all successful requests, 404 for all failures, 500 for any internal server errors, and, in rare cases, 200 with a failure message in the body and a comprehensive stack trace. When a stack trace exposes underlying design or architecture implementations in the shape of class names, package names, application names, versions, server names, and SQL queries, it may become an information leak for a malicious user.

Returning a 'balanced' error object with the correct HTTP status code, the bare minimum of necessary error messages, and no stack trace during error conditions is a good practice. This improves error management while also protecting API implementation information from an attacker.

The API Gateway can be used to convert backend error messages into standardized messages, making all error messages look the same and preventing the backend code structure from being exposed.
Thilo Huellmann, CTO,
We're going to end of our research and our next guest Tony put what API Gateway quite simply:
9. Since the Gateway is in the path of traffic, it offers simple load balancing capabilities for traffic entering the company (Round Robin, Weighted Round Robin, random, etc.). The Gateway incorporates a variety of mechanisms for controlling the rate of data entry into an entity. It will shield your backend from large traffic spikes and denial of service attacks.
Tony Kelly
CameraGroove, CEO
At the end of our story cybersecurity expert Fred from California reminded us about importance of proper tuning of API Gateway
10. When you provide an API gateway that adds security controls, you have the opportunity to intervene, but having the capability doesn't necessarily mean you use it well.

It's not enough to simply have the gateway - you also need to implement it properly for the specific APIs and the situations they encounter.
That's the tricky part, and few do it well without an in-depth understanding of why the systems do what they do and the consequences of the actions the APIs enable. That requires governance and oversight that most companies today lack, and that's why they have many of the incidents you hear about in the media.
Fred Cohen
Fred Cohen & Associates, CEO
Explore our API Security Resource Center to discover more or take a look at our API Penetration Testing service if you want help with the cybersecurity of your API. Team