SECURITY OF REST API: THREATS AND PROTECTION METHODS
DOI:
https://doi.org/10.17721/ISTS.2024.8.60-65Keywords:
REST API, information security, authentication, authorization, threatsAbstract
B a c k g r o u n d . The increase in malicious activity in the information space creates additional challenges for organizations that use REST APIs to transfer data and facilitate interactions with clients and partners. According to statistics, over 80% of modern web traffic goes through web APIs, making them an attractive target for cybercriminals. Vulnerabilities in REST API authentication and authorization mechanisms can lead to data breaches, financial losses, and reputational risks. Therefore, ensuring REST API security is a critical task for modern companies, especially those operating in high-risk industries.
M e t h o d s . Threat analysis and risk assessment methods were used to evaluate the security challenges associated with REST APIs.
R e s u l t s . Organizations are investing significant resources in the development of REST API security technologies, implementing tokens for access control, encrypting data transmission via TLS/SSL, and integrating modern security measures into their applications. However, research shows that major security threats remain relevant due to insufficient input validation processes, weak passwords, and the lack of multi- factor authentication. It was also found that a significant number of APIs lack rate limiting, making them vulnerable to resource exhaustion attacks (DoS/DDoS attacks).
С o n c l u s i o n s . One of the key approaches to addressing REST API security issues is the implementation of an API security management system that uses a multi-layered approach to protection. This includes access control, token-based authorization, regular system vulnerability checks, and rate limiting to reduce the risk of denial-of-service attacks. In addition, implementing modern security practices, such as multi-factor authentication, will help minimize the risk of unauthorized access. The research findings can be used to improve existing REST API security policies and optimize threat management approaches in companies of various sizes.
Downloads
References
Atlidakis, V., Godefroid, P. & Polishchuk M (2019). RESTler: Stateful REST API Fuzzing. 41st ACM/IEEE International Conference on Software Engineering (ICSE'2019). Montreal, QC, Canadа. https://ieeexplore.ieee.org/document/8811961
Barabash, O., Sobchuk, V., Musienko, A., Laptiev, O., Bohomia, V., & Kopytko, S. (2023). System Analysis and Method of Ensuring Functional Sustainability of the Information System of a Critical Infrastructure Object (pp. 177–192). https://doi.org/10.1007/978-3-031-37450-0_11
Laptiev, O.,Sobchuk, V., Subach, I., Barabash, A. & Salanda, I. (2022). The Method of Detecting Radio Signals Using the Approximation of Spectral Function. CEUR Workshop Proceedings, 3384, 52–61.
OWASP API Security Project (2021). OWASP Foundation. Retrieved from: https://owasp.org/www-project-api-security/.
OWASP API Security Top 10. (2023). OWASP Foundation. https://owasp.org/www-project-api-security/.
Rzaieva, S., Rzaiev D., Kostyuk Y., Hulak H., & Shcheblanin O. (2024). Methods of Modeling Database System Security (short paper). CPITS 2024: 384–390.
Schmidt, T., & Meier, M. (2020). Secure API Design and Development: Practices for Building Robust APIs. API Security Journal, 5(2), 43–57.
Shcheblanin, Y., Oliinyk, B., Kurchenko, O., Toroshanko O., Korshun, & N. (2023). Research of Authentication Methods in Mobile Applications. CPITS-2023, 3421, 266–271.
Sobchuk, V., Zelenska, I., & Laptiev, O. (2023). Algorithm for solution of systems of singularly perturbed differential equations with a differential turning point. Bulletin of the Polish Academy of Sciences Technical Sciences, 71(3), Article number: e145682. https://doi.org/10.24425/bpasts.2023.145682.
Stallings, W. (2020). Cryptography and Network Security. Principles and Practice. Pearson Education.
Subhadeep C., Sainath C., Pinnarwar S., & Sandosh S. (2024). Real- Time Threat Detection and Mitigation in Web API Development. International Conference on Electrical Electronics and Computing Technologies (ICEECT), 1 (рр. 1–9). Greater Noida, India.
Zahynei A., Shcheblanin Y, Kurchenko O., Anosov A., & Kruglyk V. (2024). Method for Calculating the Residual Resource of Fog Node Elements of Distributed Information Systems of Critical Infrastructure Facilities (short paper). CPITS 2024: р. 432-439.
