API security best practices


When a business takes advantage of cloud computing to scale its operations and improve its efficiency, APIs are inevitably a part of the connectivity equation since they are the gateway to data in the cloud.

But for innovation to develop rapidly, and at scale, APIs need to be secure.

Here are some ways APIs designed by PolicyDock are kept safe:

1. System security is regularly assessed

A key aspect of security maintenance is the constant research, review, and evaluation of systems. PolicyDock does this by following developments through a non-profit foundation, the Open Web Application Security Project (OWASP), which provides updates on security vulnerabilities. One of their efforts, The OWASP Top 10, is a standard awareness document that is regularly updated by security experts to reflect the most pressing security risks to web applications.

Moreover, changes that are made to PolicyDock’s systems are always considered with respect to their effect on security.

2. Access to resources are tightly controlled

We take the configuration of access controls seriously.

By applying the principle of least access, we give components and developers no more access than they need to retrieve information from a system. Databases have data encrypted at REST and in transit; object level authorization is considered for every function that accesses a data source. If approval is missing, entry is denied.

These rigorous restrictions are in place for a good reason. As endpoints that handle object identifiers tend to be exposed via APIs, a great deal of caution needs to be exercised in ensuring that there is a check at every turn.

On top of that, we use JSON Web Tokens (JWT) for authentication or authorisation. Since JWTs are digitally signed, you can be sure of the person’s identity. Having JWTs allows an organisation to ensure that content has not been tampered with.

The correct implementation of authentication mechanisms cannot be over emphasised. If this is done incorrectly, attackers can compromise authentication tokens, and exploit implementation flaws to assume identities, thereby comprising API security.


#Insurtech

 

ARTICLE WRITTEN BY: PolicyDoc PolicyDoc is part of our Insurtech Batch 4 program in Plug and Play.

To view the original source of the article, click here.


About PolicyDoc

PolicyDock is a global insurance technology leader, delivering best-in-class insurance innovation while providing today’s industry with the most seamless onramp possible. Guided by a world-class advisory board and with backgrounds in fields spanning insurance, fintech, artificial intelligence, cloud technology, and big data, the growing PolicyDock team is dedicated to delivering accessible innovation to the entire insurance industry.

Recent Posts

Why Southeast Asia is great for your angel investments

Time to pivot, not panic: The startup advantage to dealing with a pandemic

porfolio

OcareNeo – Simplifying Banking for the Healthcare Sector

Want to receive the latest industry trends, news and event updates?

APAC SUMMIT: 1 Day of Innovation, 50 Startups, 1 Platform