Introduction to AppTrana’s Enhanced API Protection
Blog Series 1 out of 2.
APIs and the Need for Comprehensive API Security
APIs have become a vital cog of business and are something that is driving the digital economy. No matter what your business is and the kind of applications you are building, an Application Programming Interface (API) will be most likely employed in your application in one way or form. APIs enable the client-side of the application to interact with the server-side and in the case of machine-to-machine communication, enables two applications to interact with each other. With a microservices architecture, the criticality of APIs has exploded.
APIs are generally publicly available, well documented, and are something that can be easily reverse engineered. This also means APIs are becoming the primary attack surface targeted by hackers.
In its How to Build an Effective API Security Strategy report, Gartner predicts that
“By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
All this means that API Protection is a very important aspect of any business, and it warrants special attention. When it comes to API security, there are multiple layers that need to be considered:
- API Discovery
- API Access Control
- API Rate Limiting
- API Security Testing
- API Threat detection
- API Behaviour Monitoring
One of the primary reasons why API protection does not get enough attention in an organisation is the lack of understanding of the different layers involved in API protection. Let’s dig a bit deeper into these layers.
APIs can only be protected if one knows about them. One of the biggest challenges of API security is API visibility. Due to following reasons organisations have challenges regarding API visibility:
- Shadow APIs: These are APIs that are built as part of an application but are known only to some groups and are not publicized. Such APIs are built for the functioning of the application and are considered as an implementation detail, so, not many know about them. This also means the security team is not aware that such APIs exist and hence, no security is applied to them. The same can happen to an API, which is known and where additional parameters are added by the developers but are not documented, so, that part is never part of the testing cycle.
- Older version of APIs: APIs are developed and improved. Various versions of APIs are released over time and to maintain continuity, the older versions of APIs are not discontinued. These APIs that remain available publicly are discovered with concentration being given to the latest versions of the API. But the older versions are still accessible that could be exploited by hackers.
API Access Control
Authentication of the right users and authorization of the scope is a key part of API Protection and is something that is taken care of by clients using API tokens and OAuth mechanisms. It is important to ensure the right users have access to the API and their scope is well-governed.
API Rate Limiting
Another important aspect of API protection is controlling the access to these APIs for every user. Else, API servers could easily be overloaded. This could happen either because of malicious hackers trying to bring down the server or it could be an unintentional overload caused by legitimate clients. These are generally legitimated API calls but done at high volumes, it can clog the resources of the API server making it unavailable for other users. To overcome this, it is necessary to provide rate limits for the APIs on restricting how often each user can call the APIs.
API Security Testing
Continuous testing of APIs for vulnerabilities is of paramount importance. APIs can be vulnerable similar to web applications. OWASP, the open-source foundation dedicated to enhancing web application security, recently released the OWASP top 10 list for APIs, specifying the top threats to APIs. Some of them are already covered like Authentication and Authorization but just like web applications, APIs are also vulnerable to common attack vectors like injection attacks. Apart from these, APIs are also prone to business logic vulnerabilities due to bad code/design. It is important that APIs are continuously tested to identify the risk posture of the application.
API Threat Detection
API threat detection is an extension of web application threat detection tools like WAF (Web Application Firewall). They will monitor the API requests for various attacks like SQL injection and other injection attacks. In the case of APIs, given how they are well documented, protection can be extended well beyond the normal signature-based detection to more sophisticated positive security methods by enforcing strict schema validation and input sanitization.
API Behaviour Monitoring
Another major aspect of API security is logging and monitoring. Monitoring the access of the APIs – who is doing it, how they are doing it, understanding their behaviour, and deriving patterns are important. So, when an anomalous action happens, it is immediately triggered for further action including an immediate block or offline investigation. This can act as both as an early warning system and an effective preventive mechanism against attacks.
Is an API Gateway Enough?
One of the common questions that is raised when it comes to API Protection is that –
“I have API gateway, isn’t that enough? Doesn’t it solve the API security needs?”
These questions stem from the lack of understanding of various layers of API security mentioned in the previous section.
Yes, API Gateway plays a key part in API protection, but it does not cover all aspects that are required when it comes to API Protection. An API Gateway is best for the management of APIs. From a security standpoint, they do take care of access controls and rate limits. Some APIs may also take care of schema validation. But that’s everything an API Gateway can cover.
The following table will give a clarity on what aspects API gateway cover:
|API Security||Functions||API Gateway|
|Unlimited Automated Scans for APIs||No|
|Protection for OWASP Top 10 API Vulnerabilities||No|
|API Specific Bot Protection||No|
|Parsing of OSI Specification and Generation of Positive Security Policies||No|
|Discovery of Shadow APIs||No|
|API Specific DDoS Protection||Yes|
|Authorization and Authentication||Yes|
|API Creation and Deployment||Yes|
|API Operation & Monitoring||Yes|
|SDK Generation & Lifecycle Management||Yes|
|Resilience – Thresholds for APIs||Yes|
So, then what should one do to get comprehensive API protection?