Five Tips for API Security
How many times have you had a company tell you that your password or some other form of your data has been compromised? Probably too many - if you’re like me. Security is a real issue, and it can be very detrimental to a brand’s reputation and customer retention.
Below are five tips for increasing security when using APIs to keep your data and your customers’ data secure and safe. At the end, we’ll discuss some other methods that 8x8 uses to stay secure.
Five Tips for API Security
1. Don’t store API keys in your code
This may be the easiest method to do when you’re creating something quickly, but storing your API key in your source code is a bad idea. It makes it easier for it to be exposed and taken advantage of. For instance, if your code is stored on Github in a public repository, someone could just download it straight away. If it’s stored in a private repository, there is still risk if you integrate with any third-party APIs. You don’t have complete control over those third-party APIs and if they get hacked, then you may become vulnerable as well. There are many other better ways to store your API keys, such as in environment variables, in files outside your app’s source tree, or using encryption.
2. Check into your API provider’s security and compliance credentials
If your API provider has questionable security, then this will obviously affect you. If you’re serious about checking into their security (which you should be), then a good step to take is asking them what kind of security and compliance certifications they have. The nice thing about certifications or attestations is that there is external validation, and this reduces your legal risk exposure. For instance, if you’re building a healthcare technology product, it may be important for your API provider to be HIPAA compliant.
3. Use rate limiting
We’ve all heard of the consequences of a company being a recipient of a nasty denial of service attack. One of the ways to reduce them is to apply a limit to the number of requests that can be made in a certain time window. If the rate limit is exceeded on your API, then block the API key sending the unrestrained requests. It’s best practice to return the HTTP 429 Too Many Requests response status code.
4. Make all requests using HTTPS/TLS encryption or IPSec connection
HTTP requests can be insecure. You don’t want any man-in-the-middle attacks or impersonations - it’s critical to ensure that the data sent has not been modified or tampered with. If your API provider does not offer a secure, encrypted method for use, it’s worth finding a new API provider.
5. Enable two-factor authentication
Your API provider probably has a portal of some sort to do configuration, look at charts, and manage your account. If someone can get access to your login credentials to the portal, then they may be able to get direct access to your API key and/or your API configuration. You should ensure all employees are setting strong passwords or passphrases. Accounts become much more secure when two-factor authentication is enabled. Rather than trusting a user to make a strong, unique password, adding another layer of security greatly helps reduce your risk of getting compromised. A couple of common forms of two-factor authentication include SMS passcodes and authentication apps.
If you decide you want to consider 8x8 for communication APIs, you’ll find some of our procedures below to ensure security for our customers.
From physical security to data at rest or in motion, 8x8 is protecting our customers using the highest levels of security and compliance policies and procedures - verified by 3rd party security and compliance certifications.
Scans happen on a continuous basis throughout our systems. We have a team of internal pen testers, and we bring in one of the major global pen testing firms to ethically hack our systems and APIs regularly.
We recognize the need to balance usability and security to best serve our customers. We rely on multiple vectors of risk analysis and input to accomplish that balance. One of our most critical risk intelligence vectors is our external tester and security community.
A big part of delivering on the promise of customer security is listening and responding to the larger security community. As an example, our average response time to confirm an issue from a security researcher and begin prioritizing it is around 1 hour. We’re always grateful to researchers who help us keep our customers secure.
Security has been built in from the ground up across all of our products. For instance, with our embeddable video API, 8x8 Jitsi as a Service, end to end encryption and passwords are available for customers to use.
If you want to hear more about some of our other methods, reach out to us and our Security team would be happy to talk with you.