API : Last Mile Security

API management platforms allow the API provider to apply security policies on the proxies. This works for API calls from outside the enterprise as well as the disciplined consumers from inside the enterprise that go through the API platform. But a rogue API consumer (disgruntled employee) may be able to bypass the security implemented on the gateway and invoke the backend directly. Also an external API consumer may also bypass the security by way of (a) phishing or (b) leveraging the firewall vulnerabilities.

These kind of attacks are referred to as the "end-run attacks".As a good practice it is suggested that the backend of the API be secured as if it was exposed to the public network. The challenge is that doing so in code would put the burden on API backend developer. There are couple of ways in which this issue may be addressed:

Always use TLS/HTTPS

Setup mutual SSL between the API gateway and the backend. You may use self signed certificates for this purpose to provide added security. The other benefit of using the HTTPS is that since the data will be encrypted the backend will be protected from the man in the middle and/or data snooping attacks.

IP Whitelisting

This may be implemented at the network infrastructure level. Network device policies may be setup such that traffic to the backend servers will be allowed only from the whitelisted IP/Subnets.

Backend implementation

Depending on the needs, the backend may leverage any of the security mechanism in addition to the above 2.

Basic Authentication

Key/Secret

OAuth / Tokens

SAML

Custom scheme (i.e., non standard)

This form of security implementation may be done either in code of the backend or by way of leveraging an external platform/service

(a) backend security implemented in code. This would depend on the implementation platform and available libraries/packages etc. Here are some examples:

Custom implementation requiring credentials/token storage e.g., management of user/password for basic auth

Passport may be used for NodeJS/Express backends

OAuth2 token management Sprint token store

(b) Leverage a third party solution/platform for implementing the desired security pattern(s). Here are some examples: