Can You ‘Bot Proof’ Your Applications and APIs?
When you’re coding an application or API, your intended user is probably a human. The reality is that a larger proportion of internet traffic is now automated. In 2021, 42.3% of all traffic on the internet came from a nonhuman user. Should you be worried?
One specific type of automated traffic, bots, are software applications that execute repetitive tasks. They’ve become commonplace because bots can complete simple tasks more quickly than a human. Bots perform beneficial and malicious tasks across the internet every day.
Good bots can be used to scrape data from multiple sources to help a user quickly find information, such as a search result. Alternatively, bad bots can be used to carry out a range of malicious tasks, from account takeover to denial of inventory to enabling high-speed abuse, misuse and attacks on websites, mobile apps and APIs. Successful attacks can lead to website downtime, data leakage and various forms of online fraud.
Bad bot traffic is rising at a time when developers are building more applications and APIs to enable digital customer experiences. The expanding array of endpoints is a ripe target for automated bot attacks.
Do You Have a Bad Bot Problem?
Every online business needs to care about bad bot traffic. While some industries — like retail, travel, financial services and gaming — see a higher proportion of bot traffic across their websites and applications, it’s an issue that affects every industry. What’s more, bots are a persistent, 24/7 threat to a business’s website, apps and APIs.
In 2021, bad bots accounted for 27.7% of all global website traffic, up from 25.6% in 2020. Advanced bots use the latest evasion techniques, including cycling through random IPs, entering through anonymous proxies, changing identities and mimicking human behavior to evade detection.
In fact, bots increasingly use natural language processing (NLP) to respond with adapted semantics so they can convey realistic human behavior. Unfortunately, the more sophisticated the bot is, the harder it is to detect and stop with basic security defenses.
To identify a potential bot problem, there are several indicators you can closely monitor:
- Traffic patterns: Abnormal spikes in traffic that cannot be reasonably explained could indicate the presence of automated traffic. This is particularly true if high volumes of traffic to the application or API occur during off hours, like a weekend.
- Suspicious IPs: An increase in activity from an unknown IP range or region/country you wouldn’t expect traffic from could be another indication of automated traffic. Humans typically make small volumes of requests, whereas a bot might make many requests at once.
As the proportion of bot traffic across the internet grows, organizations are becoming more proactive and investing in bot management. The 2022 Cyberthreat Defense Report from the CyberEdge Group found that 40.7% of organizations are already using a bot management solution, while another 40.4% plan to implement a solution in the next 12 months.
How to Harden Your Apps and APIs from Automated Security Threats
Regardless of the attack vector or pathway a cybercriminal uses, they’re after one thing: data. Developers have a responsibility to the business to ensure the applications and APIs they build, which often connect directly to an underlying database, cannot be easily exploited by a cybercriminal. It’s why many developers use the secure software development life cycle (SSDLC) approach for code releases.
Below are three ways to proactively mitigate automated abuse of applications and APIs:
- Establish a baseline for the application or API’s expected behavior: By understanding the baseline rate per minute/second or the expected geography of users, you can more easily detect abnormal usage and unusual spikes in traffic. For example, a “write” API is not frequently called upon, unless it is used for logging. If there’s an unexpected uptick in traffic from this kind of API, it could indicate abnormal activity.
- Understand how users should access the API: If access requires a token or API key, rate limits should be applied in two ways: requests per minute/session, and on the IP’s per token/key and tokens/keys per IP. This can help developers identify an attack that is trying to circumvent the rate limit.
- Implement an audit trail: Keep an eye on user activity across your applications and APIs. An audit trail maintains a record of all user activity on a specific application or even API. This enables developers and security teams to monitor traffic logs and verify if or when there is potentially malicious activity coming from bots.
Year over year, the proportion of human traffic across the internet declines and is replaced with automated bot traffic. With it comes a range of new security-related challenges that organizational leaders and developers will need to navigate and find ways to address.
By implementing a dedicated bot solution that is capable of monitoring and detecting traffic anomalies without impacting legitimate human users, developers can spend more time writing code and less time inspecting apps or APIs for potential bot activity.