Five Components for Strong API Security

Malicious attacks on APIs are easy, frequent, and lucrative.

APIs are the front door to digital businesses and sensitive data, and too often it’s a door with a broken lock or the keys have been left out for anyone to find. 

Once an intruder gains entry, they can move around, elevate privileges, or create new identities and find all the valuable information. That’s why APIs are so attractive as a cyber target. 

There are five common components to consider if your job is to stop these attacks: Developer education and training, code inspection and testing, runtime defenses, threat hunting (including threat intelligence), and threat protection.

The education and code hygiene are certainly important and needed if the volume of malicious attacks is to decline. But they’re not enough. There are still vulnerabilities that attackers can exploit. For example, if an API key is sniffed and stolen and the API logic understood from message formats, then an attack on the API will be successful. 

Runtime defenses such as web application firewalls (WAFs) and API gateways control access to enterprise applications and APIs and offer protection against denial of service and bot attacks, but they, too, won’t stop malicious actors that use stolen credentials. Malicious traffic can pass through these defenses (or circumvent them) undetected and then exploit an API. 

That’s one reason why threat hunting services have become popular. They build and use catalogs of threat behaviors or analyze message traffic (usually with some level of AI or ML) to detect, alert, and quarantine malicious traffic. But just like an air traffic radar in aviation, they’re prone to false positives and negatives and new attack mechanisms are unrecognized. It takes time for AI and ML to learn any new attack techniques.

Less well-known is the category of API threat protection, although it operates in the “runtime” phase of an API lifecycle, it’s interesting because it is the mechanism that is closest to the API and acts as the final protective layer for the API. Unfortunately, it is often overlooked in API security, but is very effective if done well. You can think of API threat protection as adding sophisticated access controls in front of enterprise APIs and sensitive infrastructure. Implemented correctly, API threat protection can block all malicious and untrusted traffic before it reaches the API. Any malicious traffic that has passed through the other defenses (including traffic with stolen credentials), and traffic that failed detection in threat hunting, can be blocked by the right API threat protection technology. 

If you’re not using API threat protection in your API security architecture, and you’re seeing API attacks and data loss, then you should strongly consider adding it as a layer in your security architecture.