Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Introduction to AppTrana’s Enhanced API Protection

Posted DateMay 17, 2022
Posted Time 4   min Read

Blog Series 1 out of 2.                                   

APIs and the Need for Comprehensive API Security

APIs have become a vital cog of business and are something that is driving the digital economy. No matter what your business is and the kind of applications you are building, an Application Programming Interface (API) will be most likely employed in your application in one way or form. APIs enable the client-side of the application to interact with the server-side and in the case of machine-to-machine communication, enables two applications to interact with each other. With a microservices architecture, the criticality of APIs has exploded.

APIs are generally publicly available, well documented, and are something that can be easily reverse engineered. This also means APIs are becoming the primary attack surface targeted by hackers.

In its How to Build an Effective API Security Strategy report, Gartner predicts that

By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.

All this means that API Protection is a very important aspect of any business, and it warrants special attention. When it comes to API security, there are multiple layers that need to be considered:

  • API Discovery
  • API Access Control
  • API Rate Limiting
  • API Security Testing
  • API Threat detection
  • API Behaviour Monitoring

One of the primary reasons why API protection does not get enough attention in an organisation is the lack of understanding of the different layers involved in API protection. Let’s dig a bit deeper into these layers.

API Discovery

APIs can only be protected if one knows about them. One of the biggest challenges of API security is API visibility. Due to following reasons organisations have challenges regarding API visibility:

  • Shadow APIs: These are APIs that are built as part of an application but are known only to some groups and are not publicized. Such APIs are built for the functioning of the application and are considered as an implementation detail, so, not many know about them. This also means the security team is not aware that such APIs exist and hence, no security is applied to them. The same can happen to an API, which is known and where additional parameters are added by the developers but are not documented, so, that part is never part of the testing cycle.
  • Older version of APIs: APIs are developed and improved. Various versions of APIs are released over time and to maintain continuity, the older versions of APIs are not discontinued. These APIs that remain available publicly are discovered with concentration being given to the latest versions of the API. But the older versions are still accessible that could be exploited by hackers.

API Access Control

Authentication of the right users and authorization of the scope is a key part of API Protection and is something that is taken care of by clients using API tokens and OAuth mechanisms. It is important to ensure the right users have access to the API and their scope is well-governed.

API Rate Limiting

Another important aspect of API protection is controlling the access to these APIs for every user. Else, API servers could easily be overloaded. This could happen either because of malicious hackers trying to bring down the server or it could be an unintentional overload caused by legitimate clients. These are generally legitimated API calls but done at high volumes, it can clog the resources of the API server making it unavailable for other users. To overcome this, it is necessary to provide rate limits for the APIs on restricting how often each user can call the APIs.

API Security Testing

Continuous testing of APIs for vulnerabilities is of paramount importance. APIs can be vulnerable similar to web applications. OWASP, the open-source foundation dedicated to enhancing web application security, recently released the OWASP top 10 list for APIs, specifying the top threats to APIs. Some of them are already covered like Authentication and Authorization but just like web applications, APIs are also vulnerable to common attack vectors like injection attacks. Apart from these, APIs are also prone to business logic vulnerabilities due to bad code/design. It is important that APIs are continuously tested to identify the risk posture of the application.

API Threat Detection

API threat detection is an extension of web application threat detection tools like WAF (Web Application Firewall). They will monitor the API requests for various attacks like SQL injection and other injection attacks. In the case of APIs, given how they are well documented, protection can be extended well beyond the normal signature-based detection to more sophisticated positive security methods by enforcing strict schema validation and input sanitization. 

API Behaviour Monitoring

Another major aspect of API security is logging and monitoring. Monitoring the access of the APIs – who is doing it, how they are doing it, understanding their behaviour, and deriving patterns are important. So, when an anomalous action happens, it is immediately triggered for further action including an immediate block or offline investigation. This can act as both as an early warning system and an effective preventive mechanism against attacks. 

Is an API Gateway Enough?

One of the common questions that is raised when it comes to API Protection is that –

“I have API gateway, isn’t that enough? Doesn’t it solve the API security needs?”

These questions stem from the lack of understanding of various layers of API security mentioned in the previous section.

Yes, API Gateway plays a key part in API protection, but it does not cover all aspects that are required when it comes to API Protection. An API Gateway is best for the management of APIs. From a security standpoint, they do take care of access controls and rate limits. Some APIs may also take care of schema validation. But that’s everything an API Gateway can cover.

The following table will give a clarity on what aspects API gateway cover:

API Security Functions API Gateway
API Scanning No
Unlimited Automated Scans for APIs No
Protection for OWASP Top 10 API Vulnerabilities No
API Specific Bot Protection No
Parsing of OSI Specification and Generation of Positive Security Policies No
Discovery of Shadow APIs No
API Specific DDoS Protection Yes
  Authorization and Authentication Yes
API Management  
API Creation and Deployment Yes
API Operation & Monitoring Yes
SDK Generation & Lifecycle Management Yes
Resilience – Thresholds for APIs Yes

So, then what should one do to get comprehensive API protection?

Learn more about it in our next blog in this series and start a free trial to understand API protection better

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Best Application Security Service Provider

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Effective ways to securing APIs
API Security: Authorization, Rate Limiting, and Twelve Ways to Protect APIs

41% of organizations suffered an API security incident. Here are 12 methods that you need to incorporate in order to secure and protect APIs.

Read More
Secure NodeJS API
How to Secure NodeJS API?

Like any APIs, those developed with NodeJs come with security threats. How to secure NodeJS API? Get your query answered in this blog.

Read More
API Security Checklist
API Security Checklist: The Top 7 Requirements

API (Application Programming Interface) is emerging as one of the prominent attack vectors. While API calls volume increased by 321% last year, malicious API traffic grew by 681%! Several organizations have.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!