Best Practices: Maximizing API Security with Forum Sentry

Introduction

A core competency of the Forum Sentry API Gateway is, and has always been, security for APIs and Web services. Right out of the box there are many security features enabled by default. Forum Sentry is the only patented API Security Gateway that is FIPS 140-2 certified, NDPP certified, and DoD PKI certified.

For a good overview of Sentry's focus on security please visit our general API Security page.

Click HERE for additional White Papers on API Security.

There are many features in Sentry related to securing Web services and APIs (SOAP, XML, REST, HTML, and JSON) that should be utilized with all APIs deployed through the gateway. These features include:

  • TLS/SSL
  • Message Encryption/Decryption
  • Digital Signatures/Verification
  • Intrusion Detection and Prevention (IDP Rules)
  • Pattern Matching
  • On-Board Anti-Virus scanning
  • Identity Management and Access Control
  • Schema Validation

Top 10 Recommendations


Below are the Top 10 recommendations to further increase the security of your APIs  using Forum Sentry:

  1. Use secure SSL/TLS Policies. Forum Sentry does not utilize insecure OpenSSL libraries for SSL/TLS. All network policies (HTTP, FTP, SFTP, JMS, etc..) should use SSL/TLS. Start by enable SSL/TLS, and then consider adding Mutual Authentication for cert path validation, CRL checking, and mapping certs to users. Disable weak ciphers and older insecure SSL protocols (i.e. disable SSLv3).
  2. Use IP ACLs on your network listener policies to only allow incoming traffic from specific IP addresses or IP ranges. If a client tries to connect from an unknown IP range the connection will be rejected.
  3. Tighten existing IDP rule thresholds or add new IDP rules depending on your specific criteria. One of the easiest ways to prevent data loss is to set IDP size rules for response documents. For instance, if the service should never respond with anything over 100k, enforce this with an IDP rule.
  4. Enable the onboard Clam AntiVirus scanning to block, strip, tag, or quarantine detected viruses and malware.
  5. Use Pattern Match policies to block malicious requests and prevent data leakage. With the default Pattern Match policies and through custom policies, pattern matching ensures no confidential data is leaked out with the response messages and prevents any harmful XML attacks coming into the service. This feature can be used to prevent SQL injections and other common threats.
  6. Use encryption and digital signatures where ever applicable with your trading partners. For example, the trading partners (clients) would encrypt and sign the request data before sending to Sentry, the request data is then decrypted / verified on Sentry. For response processing, Sentry can encrypt and sign the response data before sending it back to the client.
  7. Validate Schema. Consider using Schema Tightening and advanced validation options with your WSDL policies. Sentry also supports XML schema validation via XSD files and JSON schema validation.
  8. Utilize Sentry's built in PKI infrastructure. Create, import, and store all keys related to the security of your services within Sentry.
  9. Use Task Lists and WAF Policies for URI, HTTP Header, and Query Parameter filtering for REST APIs. For instance, scan parameter values for malicious content, ensure specific HTTP headers exist, etc).
  10. Enable User Identity and Access Control on your APIs to ensure only valid users are accessing your services. There are many Access Control, Federation, SSO, and Credential Translations capabilities in Forum Sentry.

Testing the Security of APIs

It is strongly recommended that you perform security, vulnerability, and penetration testing of your APIs deployed though Forum Sentry.  

SOAPSonar from Crosscheck Networks is the recommended tool to perform this testing.  With full support for functional and performance testing, there is patented technology focused on security and vulnerability testing that you won't find with any other SOA test tools.

SOAPSonar's Vulnerability mode runs scans against APIs and reports any potential issues with explanations of how to fix them. In addition, if you configure SSL, encryption/signatures, or other WS Security features in Sentry, you can use this tool to test these features.

You can download a free evaluation of SOAPSonar here: http://www.crosschecknet.com/products/soapsonar.php.

Have more questions? Submit a request

0 Comments

Article is closed for comments.