API security best practices

When a business takes advantage of cloud computing to scale its operations and improve its efficiency, APIs are inevitably a part of the connectivity equation since they are the gateway to data in the cloud. 

But for innovation to develop rapidly, and at scale, APIs need to be secure.

Here are some ways APIs designed by PolicyDock are kept safe:

• System security is regularly assessed

A key aspect of security maintenance is the constant research, review, and evaluation of systems. PolicyDock does this by following developments through a non-profit foundation, the Open Web Application Security Project (OWASP), which provides updates on security vulnerabilities.  One of their efforts, The OWASP Top 10, is a standard awareness document that is regularly updated by security experts to reflect the most pressing security risks to web applications. 

Moreover, changes that are made to PolicyDock’s systems are always considered with respect to their effect on security.

• Access to resources are tightly controlled

We take the configuration of access controls seriously.

By applying the principle of least access, we give components and developers no more access than they need to retrieve information from a system. Databases have data encrypted at REST and in transit; object level authorization is considered for every function that accesses a data source. If approval is missing, entry is denied. 

These rigorous restrictions are in place for a good reason. As endpoints that handle object identifiers tend to be exposed via APIs, a great deal of caution needs to be exercised in ensuring that there is a check at every turn.

On top of that, we use JSON Web Tokens (JWT) for authentication or authorisation.  Since JWTs are digitally signed, you can be sure of the person’s identity. Having JWTs allows an organisation to ensure that content has not been tampered with.

The correct implementation of authentication mechanisms cannot be over emphasised. If this is done incorrectly, attackers can compromise authentication tokens, and exploit implementation flaws to assume identities, thereby comprising API security. 

For more information, please contact us at demo@policydock.com .

Related content:

• How strong is a business's cyber protection? Find out within seconds (1 min video demo).
• PolicyDock and Sensible help insurers turn PDFs intro structured data (1 min video demo).