Web security has a lot on its plate just protecting applications. But cybercriminals are always hungry for new opportunities, and APIs are making their way to the top of the menu. Gartner predicts application programming interface (API) attacks will become the most frequent form of cyber-attack in 2022. As a result, the cybersecurity industry requires a new web security approach, one that adequately addresses API security concerns.
Web APIs are Part of Web Security
At some point, most developers have had to explain what exactly an API is. They may have tried the waiter analogy to get the idea across to less tech-savvy clients or friends.
Put simply, an API is the in-between code that acts as an interface between software applications. In the analogy, the API is a waiter taking the order to the kitchen and returning with the food. The API didn’t make the food, and it didn’t eat the food. It is just the messenger linking an application that makes a request with a system that can provide the data it is looking for.
While both web APIs and web applications are fundamental to the modern online experience, it is only applications that the end user directly interacts with. Maybe this is why web security can sometimes seem too focused on application security.
But web APIs are everywhere nowadays, we employ a lot of waiters, and they are tasked with delivering a lot of sensitive food, or data. The service staff that makes the internet work as well as it does deserve better protection. They need a new approach to web security and a new acronym: WAAP (Web Application and API Protection).
Web API Security Vulnerability
APIs are the building block of modern microservices applications. An entire economy has been created from APIs that facilitate data sharing and offer access to software functionality.
However, by their very nature, APIs are accessible through the public internet and can expose application logic and private data, making them prime targets for cybercriminals worldwide.
Common API security vulnerabilities include incorrect implementation of authentication mechanisms and a failure to apply restrictions on the size or number of resources a user can request. The Open Web Application Security Project (OWASP) has published a top 10 list of API vulnerabilities.
What Can Go Wrong with Compromised APIs?
These API vulnerabilities pose a range of threats to companies.
First and foremost, significant data breaches that expose sensitive information and potentially cause:
● Disruptions to vital business operations
● Data loss
● Account takeover
● And irreparable brand damage.
A common mistake behind data losses is APIs not enforcing the required authentication and authorization protocols. This can happen when organizations promote new API use and relax access controls.
Web companies also have to consider scraping incidents, where data is harvested en mass via compromised APIs and brute-forcing and credential-stuffing techniques that aim to compromise user credentials or account takeover. This last one is particularly troublesome for the financial industry, where bad actors use this access to perpetrate fraud.
Similar to web application security, the growing risk of API attacks has led to the development of new approaches that identify and secure APIs open to attack.
Protecting Both Web Apps and Web APIs
First coined by Adam Hils and Jeremy D’Hoinne of Gartner, WAAP describes specialized security tools designed to protect both web applications and APIs. Traditional solutions struggle to truly safeguard web applications and APIs. Typical issues they have, include:
● Signature-based detection that can’t keep up with constantly evolving application attacks
● Web Application Firewalls (WAFs) that require manual rule development in the face of continual web app and API changes
● Attacks on web apps and APIs using legitimate ports and protocols (such as HTTP or HTTPS)
● The added level of complexity which enables malicious content to be better hidden
● TLS encryption creating challenges for malware detection
Successful WAAP services must inspect requests before the API endpoint (when the connection to the application is made) and find ways to adapt to continual app changes. With WAAP services, users gain access to a range of security capabilities that provide the level of protection required to match the threat businesses face online, such as:
● Next-Gen WAF: AI-powered firewall protection at the application layer that goes beyond signature-based detection to block a broader spectrum of attacks.
● Advanced Rate Limiting: Placing better restrictions on the size or number of resources users can request to prevent malicious use without affecting genuine users.
● API and Microservices Protection: Security explicitly designed for microservice applications to protect a company’s entire web presence.
● Bot Protection: Distinguish between legitimate and malicious bots traffic.
● RASP (Runtime Application Self-Protection): Security embedded into the application runtime domain to offer defense for web APIs and apps in real-time.
● DDoS protection: Ensure the continuity of service with DDoS safeguards at the application and network layer.
● Protection Against Account Takeover: Preventing the use of credentials obtained from compromised data dumps and identifying unauthorized access via authentication APIs.
● Automation – Given the constant changes in app design and use, WAAP solutions offer an automated solution that constantly learns and adapts to ensure protection.
Building a secure web
Unfortunately, the risk of vulnerabilities in both web APIs and web applications isn’t going anywhere. The recent pandemic caused a massive acceleration towards online services, and cybercriminals now have a significantly larger surface to attack. But, with the proper implementation of next-generation web security like WAAP, businesses can operate online securely and with peace of mind, knowing their data is secure.