While some may look at the world of microservices and containerization as one of the increased efficiencies and simplified development processes among other benefits, the security-focused among us may see something entirely different: the exponential increase of attack surfaces. Simply put, as we disaggregate monolithic applications into microservices, we increase the number of application programming interfaces (APIs) needed for each microservice to talk to one another and each of these endpoints provides another potential attack vector.
With this in mind, open source integration vendor WSO2 has teamed up with Ping to add Ping’s artificial intelligence (AI)-powered API security protections to its own set of open source policy control software.
Ken Oestreich, vice president of marketing at WSO2, explained in an interview with The New Stack that the recent explosion in APIs has made traditional security methods untenable for the complexity and dynamism of modern microservice environments.
“If you look throughout IT history, maybe go back 20 years, all software was monolithic. You just wrote one piece of software and it did everything. Occasionally, software from one vendor had to talk to software from another vendor and it was either glue code or something like that. In the last four or five years, there’s been an explosion using API to front end software, so that one piece of software could talk to another,” said Oestreich. “This market for API-fronted systems has exploded even further with the advent of microservices. We now have this range of really big systems having to interact with smaller systems, and the glue between all of these things is the API. These things are growing by orders of magnitude. As we get into more microservices, where you have hundreds, thousands, or tens of thousands of microservices being enacted for a few milliseconds, there’s absolutely no way to manually vet any of this stuff.”
With the partnership between WSO2 and Ping Identity, the two existing products — WSO2 API Manager and PingIntelligence for APIs — are now able to be integrated using an open source extension that communicates with the PingIntelligence API Security Enforcer (ASE) module, deployed in the WSO2 API Gateway. Essentially, users of the WSO2 API Manager can apply the AI-based security analysis and threat blocking to their APIs along with static policy-based security controls, as provided by Ping Identity.
Oestreich explained that Ping Identity’s ability to provide dynamic, rather than solely static, rules and controls makes it fit for ephemeral systems that are often developed by distributed teams.
“The AI-based threat detection learns patterns in quantities of API usage and calling, and flags what it believes to potentially questionable use of the API endpoints. It gives people an extra, added a level of comfort that bad actors aren’t trying to attack the burgeoning number of endpoints and APIs,” said Oestreich. “This is unbelievably useful as these API systems get more complex and unpredictable. Any IT department has tens, dozens, even hundreds of developers who are integrating APIs and they’re doing so asynchronously and independently. You don’t always know who or how an API being used. Different developer groups are going to be pinging an API differently. Having this sort of a security net is unbelievably useful as the systems get more complex.”
According to the statement, the integration will allow its users to prevent a number of different types of API attacks, including “attacks that use a valid user account to reverse engineer the API and breach other accounts to steal data—while looking like a normal user” and “attacks that use stolen token, cookies, or API keys; attacks on login systems; remote application control; botnets scraping data; data exfiltration; API-specific denial of service/distributed denial of service (DoS/DDoS) attacks, as well as an array of attacks coming from authenticated users.”
WSO2 is a sponsor of The New Stack.
Feature image via Ping.