Innovation Insight for API Protection

Web API traffic and attacks are growing in volume and severity. New approaches complement traditional web application security measures with specific API security functionality. Security and risk management leaders should identify when to seek this added protection.

Overview

Key Findings

• Security leaders are looking for additional security capabilities to protect their APIs. They are expanding beyond their existing API gateways (GWs) and web application and API protection (WAAP) solutions — especially in industry verticals with high security requirements.
• Top concerns expressed by clients during inquiries include personal data theft, account takeover and automated content scraping.
• API protection innovations protect web APIs from exploits, abuse, access violations and denial of service (DoS) attacks.
• API protection products provide three main types of functionality — discovery, posture management and runtime protection.

Recommendations

To protect their APIs, security and risk management leaders should:

• Start by discovering and categorizing your APIs. Perform threat modeling to identify the specific security mechanisms required to mitigate your risks.
• Assess the API protection provided by your current WAAP or API gateway. If your risk mitigation requires additional API protection, investigate API security specialists that can provide an additional layer of protection.
• Address the security analysis workload that behavioral anomaly detection may generate by using either an internal security operations center (SOC) or a managed service.
• Perform an application security testing (AST) or penetration testing exercise to uncover business logic issues that may otherwise remain hidden.

Introduction

API security is a growing concern as API traffic grows. Web APIs interconnect applications, and are becoming central to the digital transformation of enterprises. In producing and exposing web APIs, organizations are called to define the way they communicate with other entities such as partners and customers. Best practices to standardize these communications are lacking. APIs built by organizations are often the cause of high visibility breaches.

Many organizations protect API traffic the same way they protect their legacy applications. Generic application security controls might perform poorly due to the different structure of the traffic (for example, a JSON payload), or due to the characteristics of the API transactions (for example, due to high frequency). Especially in industry verticals that have high security requirements, security leaders are looking for additional security capabilities to protect their APIs. In this research, we explore emerging API security innovations that will help organizations discover their APIs, identify and address vulnerabilities, and protect APIs during runtime.

Description

Definition

API protection innovations protect web APIs from exploits, abuse, access violations and denial of service (DoS) attacks. While all kinds of APIs can be protected, typically organizations initially focus on APIs that are homegrown, public-facing and provide connectivity to critical applications. These solutions provide API security through a combination of content inspection of API parameters and payloads, traffic management, and, at a minimum, traffic analysis for anomaly detection.

API security innovation is mainly brought forward by emerging API security vendors. However, API security functionality can be obtained as part of the expanded portfolio of offerings from vendors of API gateways, WAAP and AST.

Depending on the specific architecture, API security solutions may be provided as a service or an on-premises product, or with a hybrid approach. In particular, the solution may need to collect and send data back to its cloud for behavioral anomaly detection, or it may need to recognize anomalous patterns entirely on-premises. Most solutions are not in-line solutions. Rather, they ingest traffic data and other information by integrating with application and infrastructure components within the enterprise.

An important part of many API security offerings is the ability to discover APIs.

A complete API security program should include controls for the development and testing phases. Most API protection tools assess API posture for misconfigurations.

Benefits and Uses

Some of the top concerns expressed by clients during inquiries include personal data theft (exploiting a Broken Object Level Authorization [BOLA] vulnerability, for example), account takeover, and automated content scraping (for example, price scraping). A frequent scenario reported by clients is where APIs are provided by a back-end team. It is intended that only certain front-end applications will use the APIs, but an attacker successfully accesses the back-end APIs directly, bypassing permitted front-end applications.

While security leaders can counter API attacks with existing functionality present in tools such as WAAPs, API GWs and AST tools, there are many challenges presented by this approach:

• Security leaders do not typically own tools that are managed by infrastructure and operations teams (such as API GWs), and AST scanners are increasingly shifting ownership to application development teams.
• API GW and WAAP security functionality may be limited, depending on the vendor. While a few leading providers already include more-advanced API discovery and controls, many are still limited to providing throttling, secure transport, and similar types of security policy enforcement.
• Security leaders in high-security and regulated industry verticals express their desire during inquiries for an advanced solution that can immediately provide the required functionality.