API security is not a new problem; APIs and their vulnerabilities have been around a long time. What is new is the volume of APIs that are now being created at lightning speeds. Thanks to this staggering increase in adoption, security is struggling to keep up, and APIs are increasingly featured in breach headlines and becoming top of mind for security professionals.
However, the rapid increase in numbers is not the only factor leading to risk and breaches. Some of the things that make APIs so attractive from a business perspective are also what is making them so vulnerable. Their ease of integration, multi-use components, and advanced automation can lead to unauthorized access to capabilities, information disclosure, functionality abuse, denial of service, security misconfiguration abuse, and more. But these attacks are not new either; they’re similar to what we’ve seen for years against web applications. What is different and more challenging about API security? According to our recent conversations with customers, it’s the following:
Lack of visibility and awareness: This is a huge factor. Organizations know they have a lot APIs, but not how to discover or inventory them all. Most have an assortment of APIs sitting behind various gateways, some being stood up by developers outside of any gateway, some with no schema attached, or some that have been essentially orphaned after long periods of development. This is a hard problem for security teams to get their hands around.
Accountability for acceptable API usage: Another challenge we hear from customers is the struggle to understand who is using their APIs, and what acceptable usage is – things like the amount of information they should be providing, how they are providing it, and the levels of authentication and authorization are often a mystery.
Sophisticated, multi-step attacks: Because of this lack of visibility, there are now a lot of attacks focused on APIs, and they are not easy to detect. It’s challenging to identify abnormal behavior related to APIs without the right technology with correlation capabilities to identify modern attacker techniques.
Complex bot-based attacks: Complicating everything is the fact that API attacks are increasingly bot-enabled. Attackers can now distribute loads across large numbers of bots – often tens to hundreds of thousands complex bot-based attacks.
These are big challenges, and addressing them isn’t simple. Over the past several years, we’ve been helping organizations get a handle on their API threat landscape and block API attackers. We’ve learned a lot about how these attackers operate and what works, and what doesn’t, to thwart them. Based on our knowledge of attack behavior and the challenges above, we’ve developed five key requirements for API attack protection:
- Discover known and unknown APIs
- Visualize risk to your API attack surface
- Detect and block real-time attacks
- Expose insights to enable attack forensics
- Assess and enforce API schema compliance
Get details and learn more about these five requirements in our new whitepaper, A Security Practitioner’s Introduction to API Protection: Five Requirements for Protecting APIs Against Attacks.