API Management / Security / Contributed

4 Essential Tools for Protecting APIs and Web Applications

29 Oct 2020 10:30am, by

Threat actors continue to evolve, developing new tools to effectively target expanding platforms, applications, and attack surfaces almost as soon as they are implemented. The entire range of solutions impacted by digital innovation is ripe for attack because many organizations tend to embrace new technologies before fully implementing a security strategy to protect them. The increasing reliance on Application Program Interfaces (APIs) to develop web applications and other services is a perfect example.

Increased Reliance on APIs Creates New Risks

Brian Schwarz
Brian Schwarz is Director of Product for Application Security at Fortinet. With over 20 years of experience working with networking and security solutions for the enterprise, Brian currently focuses on Fortinet’s Web application and API security solutions. Previously, Brian has held a variety of positions spanning product marketing, product management, technical marketing, and technical training for leading industry vendors.

APIs are sets of routines, protocols, and tools used for building software applications. In general, APIs enable programmers to easily interact with a programming language, software libraries, or other software tools. They are increasingly being used to develop new web applications that provide a richer, more responsive user experience, especially for mobile device users. They are also used to expose data “as a service” to internal users, external partners, and customers. In fact, 64% of organizations today create APIs for use in either internal or external use cases.

And as you might expect, cybercriminals are hot on the heels of this trend, developing and deploying attacks for which many organizations are singularly unprepared. Common API attacks include injection attacks, where malware is transferred into an API as part of a query or command, resulting in unauthorized access to information. DoS attacks aimed at APIs can render them unresponsive. API authentication and access controls can be broken. Even traditional man-in-the-middle attacks have been modified to exploit APIs. REST (Representational State Transfer) APIs are especially vulnerable as they use HTTP as their underlying protocol. The result is that corporate and customer data are at increased risk as long as organizations fail to implement security tools and strategies designed to protect the API infrastructure.

Addressing API Security Threats

Fortunately, there is a wide range of tools available to help organizations effectively protect their API-based solutions. Here are four essential API-focused security solutions every organization should have in place:

  1. Web Application Firewalls are the first line of defense for protecting APIs and web applications. They are explicitly designed to secure both traditional and API-based web applications. They not only supplement the signature-based defenses provided by firewalls and IPS platform protection, but unlike any other security solution, a WAF can also provide broad application protection. It does this because the WAF understands application logic as well as what elements exist in a web application, such as URLs, parameters, and even the cookies it uses. By monitoring application usage and behaviors, as well as through deep inspection, a WAF can build a baseline of normal behaviors for every application in use. The WAF  can then trigger actions to protect your applications, whether in your datacenter or in the cloud when anomalies arise. A WAF solution can also provide bidirectional defenses against malicious sources, DDoS attacks, and sophisticated threats targeting APIs and web applications, including SQL injection, cross-site scripting, buffer overflows, file inclusion, cookie poisoning, and many others.
  2. Bot Mitigation is essential since malicious botnets are a primary tool for delivering attacks targeting APIs. To quickly protect websites, mobile apps, and APIs from automated threats, some WAF solutions allow administrators to configure a bot mitigation feature that checks for more specific signatures, such as client events, and the occurrence of suspicious behaviors by regular clients.
  3. API Gateways provide a wide range of functions, such as traffic management, monitoring and logging, and API versioning. However, an API gateway should also include additional essential security functions, starting with authorization and authentication to maintain and secure a single point of entry for API access. This ensures that only authorized developers and administrators have access to API resources. Other security features should include API key verification, rate limit control, and call rewriting. It should also include dynamic attack signatures that enable it to identify threats targeted at APIs. Additional API security should include schema validation to validate API syntax and grammar, and API testing to determine if an API meets expectations for functionality, reliability, performance, and security.
  4. Anti-DDoS solutions must be able to detect threats targeting APIs since the fastest-growing category of DDoS attacks target Layer 7. These attacks only require a few megabits of packets to do as much harm as large-scale volumetric attacks consisting of hundreds of gigabits of data that are used to overwhelm servers and other devices. The challenge is that most Internet Service Providers (ISPs) focus on volumetric DDoS prevention and don’t have detection tools focused on detecting and intercepting these smaller, application-level threats, which means the attacks can frequently pass through to the network. And because of their size, they may also appear completely normal to most traditional in-house DDoS detection solutions. As a result, organizations need to ensure that their overall DDoS mitigation strategy includes the ability to detect and mitigate API-focused DDoS attacks.

Add API Security Defenses to Your Security Arsenal

While firewalls indeed remain the first line of defense in the data center, new threats targeting web applications and APIs require your security infrastructure to have new capabilities. Tools that rely on signature-based detection, IP reputation, and DPI can stop some — but not all — of the advanced threats that threaten today’s API-based applications and services. To provide a more complete solution, organizations need to include additional security tools, including web application firewalls, API gateways, and DDoS mitigation solutions. These tools are essential for protecting your data and users from a rising tide of sophisticated attacks targeting API-based resources.

A newsletter digest of the week’s most important stories & analyses.