As the importance of Application Programming Interfaces (APIs) continues to grow and API traffic accelerates, there’s a growing need to make sure it completes its tasks securely.
Traditional applications security controls are still needed, but can’t quite stand up to the challenges of API security.
To select a suitable API security solution, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Lebin Cheng, Director of API Security, Imperva
An effective API security solution should be flexible enough to protect both public facing and backend APIs without slowing down development teams. CISOs should take into account three considerations when making a selection:
First, the solution needs to discover APIs automatically. It should auto-update the inventory of APIs continuously so that, for example, when APIs change in production, they’re accounted for. It must uncover shadow or deprecated APIs. This eases the burden on security leaders and allows them to keep up with DevOps teams.
Second, the solution should offer protection across legacy and cloud-native applications without requiring a burdensome infrastructure component that degrades application performance or slows the pace of development.
Third, it’s essential that the solution can identify, classify, and report on data flowing through any API. Protecting APIs is, in effect, a direct extension of an organization’s strategy for managing compliance and securing data. APIs access vast amounts of sensitive data, so having visibility into the data flowing through each one is critical. Taken together, these capabilities provide the needed context to enforce data governance and reduce potential risks.
Doug Dooley, Chief Operating Officer, Data Theorem
When building an effective API security program, there are three core capabilities: inspection, discovery, protection necessary for success. The first receives the most API security investment today which is (A) inspection/analysis.
Although API attack techniques have evolved over the past decade from SOAP to REST and GraphQL, the core concepts remain the same. Inspection and analysis of exploitable vulnerabilities in authentication, authorization, input-validation, business logic, and encryption. Our industry does a fairly good job with API inspection and analysis. The big challenge here is that most approaches remain manual. API inspection needs to be automated into DevSecOps and CI/CD processes.
The next two API security capabilities are (B) discovery and (C) protection which lack investments by most organizations. Not finding APIs remains an industry-wide shortfall in dealing with the growing API attack surfaces of modern software. We cannot protect APIs if we do not even know they are a part of our dynamic software stack.
Software supply chain breaches highlight the challenge of first and third-party APIs. Lastly, selecting vendors that have active protection tools for modern APIs with no dependency on legacy network tools like WAFs and gateways is an important selection criteria for building effective API security.
Tom Hickman, Chief Product Officer, ThreatX
API security is a hot topic in the industry today, but choosing the right API security solution is proving difficult for many organizations. However, the nice thing about modern APIs is that, in most cases, they can be protected the same way we protect regular web applications.
To effectively choose an API security solution, organizations need to not only know what features they want, but also have an understanding of their existing API endpoints that need to be protected. Therefore, before making any purchasing decisions, organizations need to ask if they can detect and discover all of their API endpoints.
Often, companies will find that they have far more API endpoints getting traffic than they initially thought, and in order to obtain full API protection, these need to be accounted for. If this cannot be done before making a purchase, companies should invest in solutions that follow industry best practices, like real-time analysis of actual traffic hitting API endpoints. Solutions that provide this will enable organizations to take a hard look at what’s actually deployed and exposed within their ecosystem so they can compare the actual attack surface with their theoretical API inventory.
Faizel Lakhani, CEO, APIsec
When it comes to securing APIs there are really two fundamental approaches to keeping APIs secure – monitoring and testing. Monitoring involves continuous analysis of the traffic coming in and out of APIs to identify attacks in real-time. This approach typically requires identifying what “normal” traffic looks like and then attempting to identify malicious traffic by looking for anomalies.
This approach can be effective, especially for more obvious attacks like high-volumes or requests or injection attacks, but are likely to miss on more sophisticated attacks – as clever attackers will do their best to stay under the radar. Further, this approach is fundamentally reactive, requiring APIs to be published into production and under active attack before alerting organizations of any issues with their APIs.
In contrast, the testing approach to API security involves regular, rigorous assessment of the API to identify any weakness or vulnerability that could inadvertently lead to data loss. Testing is typically performed in a pre-production environment, so that any issues are discovered before they can cause harm. This preventative approach simulates attacks and effectively “pressure tests” the API to see if any data leaks. Testing can be fully automated and integrated into a shift-left model, so that every new release is fully vetted.
Tony Lauro, Director of Security Technology and Strategy, Akamai
Defenders focusing on API security should consider the business function of the APIs they are protecting. The release of the iPhone in June of 2007 has triggered the exponential growth of APIs. This new platform ushered in the age of the API, requiring an efficient, lightweight application communication language. Unfortunately, shortly after that, attackers began to abuse them.
The areas of defense against API abuse:
Protocol level: Validating the API is not being abused in terms of overutilization or quota abuse generally requires proxied inspection of API requests and potentially using an API gateway to manage API business requirements.
Application level: This centers around API payload validation. Using a Web Application Firewall (WAF), the breakdown and inspection of the API call, API endpoint in use, and the parameters of what that request should look like can all be validated as part of a positive security model, including defense against traditional application-layer attacks.
Business logic level: APIs are used extensively to get users from point A to Z within an application workflow. The ability to detect when a user request jumps straight into point D bypassing A-C could result from a scripted attack and not a genuine user interaction.
Chris Mayers, Principal Security Engineer, Citrix
APIs are the most valuable and vulnerable assets of any digital business, and protecting them has become a complex and challenging task.
In identifying solutions that can help tackle this growing challenge, IT should consider the following:
- Almost every business has unknown, forgotten, shadow APIs. And if you can’t see them, you can’t protect them. A good API protection solution is able to discover, catalog and bring every API under governance.
- API authentication, authorization and rate-limiting, along with analytics for API usage and performance are core to API protection. Look for a solution with intelligent machine learning techniques that enable it to learn base-line usage and more easily detect API abuse.
- Application architectures are evolving from monolithic to micro-services, which are heavily API based and often use service-mesh. Solutions should be able to protect both types.
- Applications are rapidly transitioning to multi clouds, and solutions must protect them wherever they are hosted – on-prem, in private public, hybrid or multi-cloud.
While it isn’t easy, API protection can be greatly simplified using cloud-delivered platforms that unify web application firewall, bot management and API protection into a single solution for simplicity and reduce security posture fragmentation.
Ziv Oren, CEO, Reblaze
As APIs proliferate, defending them against abuse has become vitally important. Today, a number of solutions claim to offer API security. However, many of them do not provide complete protection.
Many solutions were originally designed to protect sites and web applications, and they rely on older techniques that don’t work well for APIs.
For example, security solutions need to block hostile bots. Many try to verify the users’ browser environments, or they challenge the users with CAPTCHA puzzles. But neither technique will work for an API call because there is no browser to verify, and CAPTCHAs aren’t applicable either.
There are often other deficiencies too. For example, many solutions don’t offer robust rate-limiting for API traffic. This means that attackers are free to wage enumeration attacks, input fuzzing, credential stuffing, scraping, and so on.
So, it is critical to choose a security solution that recognizes the unique challenges posed by APIs and offers specific protection for them. Every applicable security technology should be implemented, and additional API-specific features should be offered too. For example, an SDK for mobile apps can enable developers to harden all communication between client devices and the mobile API endpoint, making it extremely difficult for attackers to gain access.
Ankur Singla, SVP & GM, Security Products Group, F5
The dynamic nature and sheer volume of APIs make it impractical for organizations to keep up with and feed API definitions to systems securing API endpoints.
Solutions need to include machine learning (ML)-based capabilities, allowing for the automatic discovery and mapping of an apps APIs. Allowing the solution to learn the scope and nature of API communication over time – helping to identify shadow or undocumented APIs which may be leading to security gaps and persistent vulnerabilities. That’s why API discovery coupled with the ability to import known API schema for enforcement is important.
Good solutions deliver continuous observability of app and API behavior, monitoring over time to build rich behavioral baselines. This should be a continuous process, enabling controls to be applied in the most meaningful way. This is where the argument and need for ML-based solutions is very easy to understand since the behavior profiling and calibration is as real-time as possible.
The first two capabilities allow us to learn and keep pace with baselined “normal and acceptable” API behavior. The final capability needed is enforcement, accurately identifying the behavior patterns that fall outside of that range with the ability to take action enforcing schema, rate limiting, and blocking.
Tushar Tambay, VP of Product, DPS HyTrust, Entrust
Every analyst and vendor will tell you that access control (authentication and authorization of APIs) is the most important aspect of API Security. While that is true, it pays to dig a little deeper. Ask yourself:
How flexibly does the solution allow you to define access control policies? Is it limited to Role Based Access Control (RBAC – who can do what) or does it enable Attribute Based Access Control (ABAC – who can do what, to what, under which conditions)?
Does the solution allow you to configure fine-grained access control policies? Can Authorization rules be specified for each individual API?
Can the access control policy be versioned? Are changes to this policy auditable? When troubleshooting an incident, can you go back in time and accurately determine which policy was in force at the time the incident occurred?
Does the solution support all standards-based identity and access protocols (OAuth, OIDC etc.) in use at your enterprise by internal services as well as externally accessible services?
Does the solution support legacy apps that don’t have a standards-based authorization option?
Does the solution allow you to validate the integrity of incoming API requests and ensure the confidentiality of outgoing responses?
Finally, pay attention to the solution’s ability to collect detailed logs which make deeper analysis and troubleshooting possible.
Stan Wisseman, Chief Security Strategist for North America, CyberRes
APIs are an essential enabler of innovation in today’s digitally-driven world. Applications (or application components) can leverage APIs to connect to other applications and communicate autonomously. APIs also have the potential to expose application logic and data, therefore providing access to multiple sources of potentially sensitive data and mission-critical services. This, in turn, widens the attack surface exponentially.
Given the increased importance of APIs, when considering API security tools, it’s vital to have better visibility into what APIs exist, who owns them, which port they are listening to, etc. However, without some way of programmatically acquiring this information, API discovery is difficult to automate.
Use of tools like Google’s Apigee and API collaboration software like Swaggerhub or Postman are on the rise and can provide a full picture of an API and all its interactions. Some dynamic application security testing (DAST) tools can ingest data from these collaboration tools, and are also providing discovery capabilities to detect any Swagger or OpenAPI schema and add API endpoints to an existing vulnerability scan.
Some organizations are also starting to proactively layer in controls and leverage API tools to better govern them. API Security Gateways or Managers can create, manage, secure and measure the APIs in use.