Security Baseline – API

API development in City Union Bank involves creating secure, scalable, and interoperable
interfaces that enable seamless communication between banking systems and third-party
applications. These APIs allow external developers to access financial services such as account
enquiry, fund transfer, and payment enquiry. Key priorities include ensuring robust security
measures like Client ID, Client Secret, API Key, encryption, decryption, and hashing techniques.
APIs are well-documented, versioned, and tested rigorously for performance and reliability. The
development process also consider scalability to handle growing user demands, ensuring a
smooth customer experience while maintaining data privacy and operational efficiency.

When developing an API (Application Programming Interface), following standards are

followed which ensures that our API is robust and maintainable. Here are some essential
standards that we follow:
 RESTful Design: REST (Representational State Transfer) is a popular
architectural style for designing networked applications. Adhering to
REST principles ensures your API is intuitive and follows a standard set
of conventions for resource identification, manipulation using HTTP
methods (GET, POST, PUT, DELETE), statelessness, and uniform
interface.
 HTTP Methods: Utilize HTTP methods correctly for CRUD (Create,
Read, Update, Delete) operations. GET for retrieving data, POST for
creating resources, PUT or PATCH for updating resources, and DELETE
for deleting resources.
 Resource Naming: Use meaningful and consistent resource names in
your API URLs. Avoid using verbs and focus on nouns that represent
the entities your API deals with.
 URL Structure: Keep URLs hierarchical and predictable. Use plural
nouns for collections and singular nouns for individual resources. Utilize
query parameters for filtering, sorting, and pagination when necessary.
 Response Formatting: Return responses in a consistent and
standardized format such as JSON (JavaScript Object Notation) or XML.
Include appropriate HTTP status codes (e.g., 200 for success, 404 for
not found, 400 for bad request) and meaningful error messages.
 Versioning: Implement versioning to manage changes to your API
over time. This ensures backward compatibility and allows clients to
adapt to changes gradually. Versioning can be done through URL
versioning (e.g., /v1/resource) or header-based versioning.
 Authentication and Authorization: Secure your API by
implementing authentication mechanisms such as OAuth, JWT (JSON
Web Tokens), API keys, or basic authentication. Additionally, enforce
authorization to control access to resources based on user roles and
permissions.
 Error Handling: Provide clear and informative error messages in case
of failures or invalid requests. Include error codes, descriptions, and
suggestions for resolution to assist developers consuming your API.
 Documentation: Create comprehensive and up-to-date
documentation for your API. Document endpoints, request and
response formats, authentication methods, error codes, and usage
examples. Tools like Swagger or OpenAPI Specification can help
automate documentation generation.
 Testing: Perform thorough testing of your API using unit tests,
integration tests, and end-to-end tests. Test various scenarios including
success cases, error cases, and edge cases to ensure reliability and
consistency.
Testcases reports.
 Rate Limiting: Implement rate limiting to prevent abuse and ensure
fair usage of your API resources. Define limits on the number of
requests allowed per time interval for each client or API key.
 Logging and Monitoring: Log API activities and errors for debugging
and auditing purposes. Monitor API performance, usage patterns, and
error rates to identify issues and optimize performance. For such
logging and monitoring purposes we use Audit and error logs.

The security mechanism plays a critical role in ensuring the protection of sensitive data and the
prevention of unauthorized access. The following below are the key components that are being
used for the securing of APIs.

Client ID
 ClientID is a unique identifier assigned to each client (application) making API requests.
It helps to identify the application or system attempting to access the API.
 It is used for logging, rate-limiting, and in combination with other factors for
authentication.
 It is not considered secret by itself but used with a Client Secret or API key for secure
authorization. Expose the Client ID publicly only when necessary.

Client Secret
 The Client Secret is a secret known only to the client and the authorization server, used to
authenticate the client. It is used to prove the authenticity of the application accessing the
API. It ensures that only legitimate clients can access sensitive resources.
 Client Secret is never to be exposed the publicly or include it in client-side code.
 It is stored in the Client Secrets securely in server-side configurations or secret
management tools. Rotate Client Secrets regularly to reduce the risk in case of exposure.
Use the least privileged secret necessary for the task.
API Key
 API Key is a unique identifier used to authenticate the application or user requesting API
access. API keys help identify and authenticate applications, ensuring that only
authorized apps can interact with the API.
 They are commonly used for basic authentication. Always transmit API keys over
encrypted channels (e.g., HTTPS). We use API key restrictions (e.g., IP-based, referrer-
based) to limit usage to specific applications or environments. Addition of API keys
decreases the risk of exposure.

Encryption
 The process of encoding information to prevent unauthorized access. Only authorized
parties with the appropriate decryption key can decode the information. Encryption
protects sensitive data from being exposed during transmission or storage.
 We Uses the same key for both encryption and decryption for Symmetric Encryption
(e.g., AES).Use strong, industry-standard encryption algorithms (e.g., AES-256).
 We always ensure that encryption keys are managed securely and rotated periodically.
Encrypt sensitive data both in transit (e.g., via HTTPS) and at rest (in databases).
 We ensure the information transmitted across the network remains private
and inaccessible by unauthorized third party or hackers. This is done through
encrypted data transmission using Secured Socket Layer (SSL).

Decryption
 The process of decoding encrypted data back to its original form. Only authorized parties
with the appropriate key can decrypt the information.
 Decryption ensures that sensitive data can only be accessed by authorized users or
systems.
 Only authorized systems have access to decryption keys. We use secure key
management systems to store and manage decryption keys.

Hashing
 A one-way cryptographic function that converts data into a fixed-size string of
characters, typically used for integrity verification and storing passwords.
 Hashing ensures data integrity and is commonly used to protect passwords
by storing hashed values instead of plain text
 SHA-256 is the cryptographic hash function that we use to generate Hash
wherever it is required.
 Salted Hashing: Add a unique, random salt to each password before
hashing to prevent rainbow table attacks. We use algorithms that support
multiple iterations of hashing (e.g., bcrypt) to slow down brute-force attacks.
Schema Validations

 Schema validation in APIs ensures that the data being sent or received
adheres to a predefined structure, typically defined in formats like JSON or
XML.
 By validating the schema, APIs can guarantee that requests and responses
conform to expected types, formats, and constraints, preventing issues such
as malformed data or security vulnerabilities.
 In API development, schema validation often involves tools like JSON Schema,
OpenAPI, or Swagger. These tools define the expected structure, including
data types (e.g., strings, integers), required fields, field formats (e.g., email,
date), and nested objects. For instance, an API that processes user
information may validate that fields like "name" are strings and "age" is a
positive integer.
 The key advantages of schema validation is that it minimizes errors and
exceptions by catching invalid data early in the process, preventing invalid
inputs from propagating through the system. This leads to more robust APIs,
as clients and servers can reliably exchange data without introducing
inconsistencies or vulnerabilities.
 Additionally, schema validation aids in version control. When APIs evolve,
schema validation ensures backward compatibility and allows developers to
communicate changes in data structures clearly to clients, maintaining API
reliability over time.

IP Whitelisting

 IP Whitelisting in APIs refers to the practice of allowing access only to specific,

pre-approved entities, such as IP addresses, users, or applications. It is a
security measure that ensures only trusted parties can interact with an API,
reducing the risk of unauthorized access, data breaches, or malicious activity.
 With this only requests from specific IP addresses are allowed. This can be
particularly beneficial in environments where APIs are accessed by a limited
number of known clients, such as internal applications, partners, or trusted
third-party services. By restricting access to a known set of IPs, APIs become
less exposed to attacks like Denial of Service (DoS) or unauthorized
exploitation.
 Whitelisting also adds an extra layer of security beyond traditional
authentication methods, such as API keys or tokens. Even if an attacker gains
access to a valid credential, they would still need to be on the approved IP list
to use the API, limiting their ability to misuse the service.
 Additionally, whitelisting can help monitor and track API usage by ensuring
that only designated systems are interacting with the API. It enhances overall
security, minimizes attack vectors, and contributes to a more controlled and
secure API ecosystem.

Secure Transfer Protocol

 Using HTTPS in APIs is crucial for ensuring the security, integrity, and privacy
of data exchanged between clients and servers. HTTPS (Hypertext Transfer
Protocol Secure) encrypts data in transit using Transport Layer Security (TLS),
protecting sensitive information such as credentials, personal data, and
financial transactions from being intercepted or tampered with by malicious
actors.
 In the context of APIs, HTTPS prevents "man-in-the-middle" attacks, where
attackers might intercept and modify requests or responses in transit. By
encrypting the communication channel, HTTPS ensures that the data remains
confidential and unaltered, offering a higher level of security than the
unsecured HTTP protocol.
 Another key benefit of HTTPS is data integrity. It ensures that the data
received by the client or server is exactly what was sent, without any
modifications during transmission. This is especially important in APIs where
data accuracy and consistency are critical for applications' functionality.
 Additionally, HTTPS is often required for compliance with industry standards
and regulations such as GDPR or PCI-DSS, especially when handling sensitive
information like credit card data or personally identifiable information (PII).
 Using HTTPS fosters trust among users and clients, signaling that the API
provider takes security seriously, which is essential for maintaining
reputation and credibility.