Industry’s First Comprehensive Risk-Based API Security
Blog Series 2 out of 2.
In the last blog, we discussed the importance of API protection, why API Gateways are not enough, and why there is a need for comprehensive API security. In this blog, we will look at how Indusface is revolutionizing the industry with its new release AppTrana API Protection.
AppTrana is known for its risk-based fully managed application security. The risk-based approach combined with its drive to make application security as easy as possible has propelled customer adoption with AppTrana being rated as the customers’ choice in all the segments of Gartner’s Voice of Customer Report 2022.
In the quest to extend similar service to APIs, Indusface has released its new module API Protection in AppTrana. With this, customers will get:
- To understand the risk posture of the APIs through unlimited automated API scans including manual tests for identifying business logic vulnerabilities
- To protect APIs with API-specific rules written to protect against OWASP Top 10 API vulnerabilities
- Behavioral-based protection against DDoS attacks on APIs by analyzing API traffic patterns
- Behavioral-based protection against BOT attacks
- Positive security for APIs through analysis of swagger (OpenAPI 2.0) files and creation of automated positive security policies
- Visibility into API traffic patterns and discovery of shadow APIs
- Accurate and real-time view of the vulnerabilities blocked by API-specific rules, positive security policies, custom rules, and those that need fixes in the application
Collectively through a multi-step approach, even the most sophisticated attacks on APIs are protected by AppTrana without any business impact.
Under the Hood:
Let’s look into how we came up with this solution.
To start with, we were adamant to extend our risk-based approach for application security to API security. At Indusface, we believe security is as good as its weakest link and it is not possible to provide comprehensive protection without understanding the risk posture to start with. But the challenge with APIs is that it is not easy to automate scanning. The biggest challenges are – how do you identify the APIs that need to be scanned and how to craft the API requests?
In the case of web applications, it is more straightforward, where you could crawl the applications, simulate actions, generate requests, and fudge those requests to identify the vulnerabilities. But the same cannot be extended to APIs. There is no one place that one can go to find the list of APIs. Therefore, we looked at alternatives and after talking to many of our customers and also getting inputs from our security experts, we narrowed it down to using postman files.
Postman is a common tool used for API development & testing. This has become the gold standard and is widely used across organisations. So, we decided to develop our API scanning around postman files. When a customer onboards their API host for protection behind AppTrana, they will be asked to provide these 2 files:
- Postman files
- Swagger files (OpenAPI 2.0 files)
With Postman files, AppTrana will be able to understand the customer APIs to be scanned along with the details about the parameters, values, common, dynamic values used in multiple APIs (postman variables), sequence in which APIs should be called and the dependencies between APIs.
Postman files are generally used for the testing of APIs in the development cycle, so, generally, they will be have these information. In order to further enrich the postman files, before the scan is started, our security experts will look at these postman files and add additional insights that will help our scanner to scan the APIs better. Once the scan is complete, our team will manually verify the results to remove any false positive results, and publish the results for the customer, providing a comprehensive risk posture of the APIs.
API protection starts immediately once the customer onboards their API host behind AppTrana and routes their traffic through AppTrana. AppTrana’s API protection module has API-specific policies that help protect against the OWASP Top 10 API threats. These policies are enabled by default and are fine-tuned for false positives by our security experts.
But we don’t stop there, we felt that as a part of threat detection, we should do more, given we have information about APIs. So, when the customer uploads the Swagger files (OpenAPI 2.0 files), we use them to create positive security policies for the configured APIs. These policies are automatically created and applied to the sites. Customers can look at these policies which enforce schema and input validation depending on the information given in the swagger files and decide if they want to continue the enforcement of these policies. This ensures we craft the protection around the APIs’ specification and block any requests outside the known specification. Thus, reducing the attack surface of the API significantly.
In order to further strengthen the API Protection, AppTrana’s API Protection module also has behaviour-based DDoS protection for APIs where customers can fine-tune their policies for each API based on the attacks’ behaviour, so that any abnormal patterns are immediately identified and blocked.
AppTrana’s API Protection will also soon be enriched with API-specific bot modules that will ensure bots trying to access the APIs are identified and classified into good vs suspicious bots and suspicious bots are then blocked based on the risk appetite of customers.
Visibility APIs Risk Posture and Protection
The biggest advantage that AppTrana’s API protection provides to their customer is the visibility into the APIs’ risk posture and protection. AppTrana provides comprehensive visibility into the risk posture, vulnerabilities found, and transparent information around if those vulnerabilities are protected by AppTrana’s API-specific policies, positive policies or custom rules written specific to the application need.
Not just that, it also provides a real-time view of how the policies are working with respect to real traffic, with visibilities into the blocks made by various policies. This ensures customers can quickly understand how effective the API protection has been and what additional actions they can take.
Since we have the visibility into API definitions known to the customer and also all the API requests coming to the API host, we are able to quickly track if all the API requests are for APIs that are part of the definition shared or not, then, they are tagged as shadow APIs and bought to the attention of the customer so that the customer can start taking further security actions, either by updating the definition so that security policies apply for them or by choosing to block these shadow APIs.
With the combination of Risk detection, API Threat detection, API Positive Security policies, API-Specific DDoS policies, API-Specific Bot modules, and API Discovery, AppTrana’s API protection is the most comprehensive solution till date.