Basic API Security Guide

APIs are existing blocks of codes that facilitate the communication between software without the need to rewrite code. That’s making API usage exponentially increase every year.

(Learn more about APIs in Twilio’s Glossary.)

Developers use APIs to integrate information from outside sources into their applications and gain access to a large repository of resources and data, simplifying the coding process. However, users also benefit as it makes building interactive applications easier.

In this post, I will walk you through the whats, hows, and whys of APIs, and discuss basic API security.

Common API Security Risks

According to Gartner, by 2022, APIs will become the largest attack vector due to their broad usage. APIs are highly targeted and have even larger attack surfaces than user interfaces (UIs) – and perhaps even larger than email (see the FBI Internet Threat Report).

So, what makes APIs a new preferred target? APIs give access to data and resources by exposing them to the internet. That data can be extremely valuable to a hacker and generally goes beyond what bad actors can find elsewhere.

Even though system hardening, access control, load balancers, and web application firewalls are put into place, negligence and human errors make the API attack surface ever larger.

Here are some of the most common attacks used against APIs:

• Cross-site scripting (XSS) Attacks: Inserting a malicious script into the code of a web application (client-side).
• Injection Attacks: Inserting malicious code into a program where user input is expected (server-side).
• Distributed Denial-of-Service (DDOS) Attacks: Flooding systems or applications with large volumes of traffic to make them unavailable.
• Man in the Middle (MITM) Attacks: Intercepting traffic between two entities to impersonate them or collect information.
• Credential Stuffing Attacks: Stealing credentials and using them to log into API endpoints.

API Security Recommendations

Get Back to the Basics

Security isn’t always about having the latest and greatest tools. Robust security always relies on solid foundations that are tied to the implementation of layered security and following industry guidelines and best practices.

That in mind, make sure you only enable protocols, services, and features you need, with the least privileges necessary and with need to know principles applied across all layers. In summary, verify that you are aligned with the checklist below:

• Follow a secure development lifecycle to minimize bugs in your code and APIs and make it secure by design.
• Make sure your infrastructure elements are securely configured per industry standards.
• Least privilege principle is applied at all levels, including services.
• Maintain an inventory of your APIs.
• Validate inputs to make sure they meet the requirements.
• Sanitize user supplied information to avoid any misinterpretations.
• Enforce strong API authentication and authorization, such as by using OAuth.
• Encrypt your traffic using robust encryption.
• Avoid oversharing information and control access to your data.
• Segment your network traffic and implement firewalls.

Control the flow

Controlling the flow of information coming your way is vital and makes rate and payload size limiting a cornerstone of your security posture – and one of the keys to your APIs’ scalability.

• Limit payloads’ size.
• Apply Rate Limiting.

Keep an eye on it

Monitoring your APIs’ performance, availability, and changes is crucial when building large-scale modular systems, such as for security monitoring. That includes being aware of any integrations, vulnerabilities, compromises, and activities. Here are examples of event types to monitor:

• Monitor your accounts and APIs activities.
• Stay informed about account compromise.
• Discover any potential APIs your company created or started using.

How to Use Twilio’s APIs Securely

Secure Your Twilio Account

Securing your account is the first step in securing your APIs, protecting your data, and preventing fraud. Here is an exhaustive list of best practices to secure your Twilio Account.

• Use Strong and unique passwords
• Use multi-factor Authentication.
• Use Single Sign-On (SSO) whenever possible.
• Secure your authentication tokens
  • Store tokens in secure locations and control access to them.
  • Don’t hard-code tokens in applications.
  • Don’t push tokens to public repositories.
  • Use time-based access tokens.
  • Change your authentication tokens periodically.
  • Be careful with temporary access tokens, use MFA, and assign expiration time to the tokens.
• Control sub-account permissions.
• Protect Your API Keys.
  • Don’t leave your API keys in the source code or applications.
  • Store your APIs securely using environment variables.
• Use secure networks when connecting to the Twilio Console.
• Limit the number of IP addresses that are allowed to access your Twilio Console using IP Access Management.

Harden Your Applications

Follow a secure development lifecycle where you develop your applications following known application security standards. This will help you reduce the attack surface of your application, and deliver trustworthy products. Here is a list of actions you can take to harden your application:

• Follow known standards and frameworks when developing your application, such as NIST SSDF.
• Harden your system following industry baselines, for example the CIS Benchmarks.
  • Use current systems, applications, and SDKs.
• Disable unnecessary features on your application:
  • To Disable outbound SMS or Calls when not needed, you have two options:
    • Disable dialing permissions per country.
    • Implement controls in your application/network to prevent POSTs to our /Calls or /Participants.
  • Implement Geographic Permission for Calls and SMS.
• Implement usage triggers that help identify abnormal and risky behaviors.
• Limit the scope of your API keys. Don’t make your API keys highly privileged so if they are compromised, they would provide access to all your accounts.
• Use Twilio’s Public Key Client Validation (PKCV) to not rely on shared secrets, validate senders, and verify message content.

Validate Incoming Twilio Requests

With a few lines of code, you can easily write a custom filter that uses the Twilio SDK’s validator utility. This will secure your application by validating incoming requests.

Monitor Your Resources

Gain visibility into your Twilio applications and use our Monitor API to retrieve your event log and feed it to your centralized log management solution. By default, all events are included, but you can filter by event date or any other field. You can also:

• Create alerts and event notifications that are human readable to help you facilitate troubleshootings or investigations.
• Use the Audit Insights reports in the Twilio Console.

Conclusion

Securing APIs might be simple or complex – it depends on how seriously you take security. Following best practices and securing your code by design is key, but keeping security as an afterthought will cost more time and money.

Other Security Related Resources

Doing your due diligence to protect your APIs and securely use and deploy Twilio resources is a great first step for securing your Twilio application. We recommend reading over our full security documentation for more advice on protecting your app, and the Anti-Fraud Developer’s Guide in particular. We also recommend reviewing Twilio’s Security Whitepaper covering how we deliver our trusted Customer Engagement Platform.

• Learn how to store your Twilio Credentials Securely.
• Secure your Application by validating webhook signature with Python and Flask.
• Checkout this great guide on blocking/disabling inbound calls.
• Follow this guide if you want to implement Public Key Client Validation (PKCV).
• Have fun reading the OWASP TOP 10 for API Security.

Seif Hateb is a Father, Martial Artist, and Security Professional working as a Principal Security Engineer at Twilio. With 12+ years of Security experience with success in guiding the design, testing, and implementation of leading-edge technology solutions while balancing security initiatives to risks, business operations, and innovations.

His specialties include Security Architecture, Cryptography, Data Protection, System Hardening, Security Assessment, Auditing, Vulnerability Management, Business Continuity Planning with extensive experience in the Telecommunications and Healthcare industries. Find him on LinkedIn and Twitter.