Modal Title
API Management / Security

Don’t Be Fooled: API Gateways Aren’t a Security Panacea

Many products in the market today provide high-level access control for an API. That’s not sufficient for stopping a motivated attacker.
May 9th, 2022 6:10am by
Featued image for: Don’t Be Fooled: API Gateways Aren’t a Security Panacea
Photo by Michael Aleo on Unsplash

For once, developers and security leaders agree on something: APIs are necessary for enabling the future of digital innovation. In fact, in a global survey conducted by Forrester, 78% say the adoption of APIs is important for their company to stay competitive in the market.

Lebin Cheng
Lebin is a technologist and developer with more than 20 years of experience in cybersecurity. He cofounded Netskope and later cofounded CloudVector, which was acquired by Imperva. He was awarded 15 patents in areas such as network security, application infrastructure and API inspection. He holds an MBA from the Haas School of Business at the University of California Berkeley and a M.S. in computer science from Purdue University.

While the need for APIs is growing, so is the need to protect them. The same survey revealed that 56% of application developers believe API security is a key priority for their organization in the next 12 months. Is it for you and your team?

As a common security best practice, developers and security teams will deploy an API gateway with a web application firewall (WAF) in front to block malicious traffic or cyberattacks targeted at APIs and applications.

Unfortunately, this traditional approach is unable to provide protection against the sophisticated threats that organizations face today. Further, cloud native environments are more complex and the volume of APIs that connect all parts of the applications are multiplying. It’s not uncommon for those endpoints to be outside of the WAF, making them vulnerable to attack.

If your organization is serious about security, the API gateway or API management solution you’re using now isn’t equipped to stop all attacks that can lead to a serious data breach.

Don’t Confuse API Gateways with API Security

API gateways are commonly offered as part of an API management solution. Any security-related features associated with API gateways are usually related to access authentication or endpoint-level authorization.

The reality is that access control is only one component of API security. Sophisticated attacks leveraging a valid API token can successfully target vulnerabilities in the application business logic and data layer. Only a purpose-built API security solution can detect such attacks.

API gateways monitor endpoints; they cannot discover each API’s full schema. More critically, API gateways are not capable of identifying or classifying the data that flows through each API. Without this level of visibility, organizations are blind to potential data breach risks.

While some cloud-service providers offer API gateway products, they still recommend deploying a WAF in front to protect the applications. Organizations must take a new approach to protect their frontend and backend APIs.

Only Looking at North-South Traffic? You’re Getting Half the Story

To truly protect the APIs that enable and connect the applications and digital services your business relies on, visibility into the API’s behavior is needed.

Traditionally, organizations only have visibility into north-south API traffic that passes through the API gateway and WAF. However, they’re blind to east-west traffic patterns — which makes up communication between servers, containers, and services and is outside of visibility to the WAF. In modern, service-oriented architecture (SOA), east-west traffic within the data center is conducted through APIs and makes up a substantial proportion of all traffic. In some cases, east-west API traffic is an extension of north-south traffic, which makes it critical for security monitoring. For example, a backend-for-frontend (BFF) application might leak north-south calls to any trusting backend, resulting in breaches that are close to impossible to detect without east-west monitoring in place.

Without the right layer of visibility, organizations are blind to API abuse or potential data exfiltration. In the gaps, organizations can be exposed to man-in-the-middle (MITM) attacks, API code injections (XSS and SQLi) or lateral movement attacks.

The API gateway exists to deliver important capabilities such as access control, but to defend against the OWASP API Security Top 10, organizations need to invest in API security with discovery and data classification capabilities.

If You Care about Your Applications and APIs, Secure Them Effectively

Organizations that manage a complex software development environment that’s connected by an ecosystem of APIs require protection for both public-facing and backend APIs. The solution must work across legacy, hybrid and cloud native environments including Kubernetes, legacy monolithic apps, standalone microservices and web proxies. Most importantly, this solution shouldn’t slow down the development team as they advance the organization’s innovation roadmap.

Many products in the market today are billed as security-centric but only provide high-level access control for an API. That’s not sufficient for stopping a motivated attacker who will employ sophisticated attack methods. Both developers and security teams need the ability to see beyond the endpoint and into the API’s underlying payload while automatically updating the API inventory whenever modifications are made to APIs in production.

If you do not already have visibility into the full API schema or the changes being made to the schema, you’ll be unaware if the API is compromised or what data is accessed by an API. These types of gaps will continue to be exploited by cybercriminals and will be the breeding ground for data breaches in the future. Don’t be fooled: An API gateway is not the end-all security solution. Focus on looking for a partner that can deliver purpose-built API security.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.