[BreachExchange] 5 Things You Need to Know About API Protection

[Destry Winant]

https://www.scmagazine.com/home/opinion/5-things-you-need-to-know-about-api-protection/

Whether you realize it or not, APIs are everywhere in your
organization and they’re growing in numbers. In fact it’s estimated
that the average organization manages over 300 APIs, many of which are
exposed externally to customers and partners.

While the concept of APIs may still be foreign to some, they’re an
integral part of modern application environments everywhere, providing
the connective tissue for SaaS, web, mobile, microservices and IoT
applications.

Developers have taken to APIs as a way to connect applications, extend
functionality and interface with partners.  This has created an often
complex web of logic, connectivity and exposure for critical
infrastructure and data as well as creating new vulnerabilities and
new targets for attackers.

Most security teams are aware of the primary APIs in their environment
but there are many APIs that go unnoticed, and thus lack the
monitoring and protection needed to properly secure your environment.
Even if you do have a good handle on your APIs, most security
solutions lack the deep understanding needed to properly protect them.
Here are 5 things to consider as you think about API protection as
part of your overall security strategy.

1. APIs are one of the fastest-growing attack targets
The API Economy is here and businesses are looking for ways to deliver
new apps faster, extend application functionality and connect with
partners.  APIs are everywhere now and as  the number of APIs grows so
too do the number of attacks.  According to Gartner in their research
on How to Build an Effective API Security Strategy, “By 2022, API
abuses will be the most-frequent attack vector resulting in data
breaches…”

2. APIs are a rich target for attackers
Behind many APIs lie attractive targets for attackers.  With the right
attack, a wealth of  valuable data can be exfiltrated, ranging from
customers’ personally identifiable information (PII) to company
intellectual property (IP).  Do a search for API breach and you’ll
find plenty of examples of well known companies who have been targets,
like T-Mobile, Panera Bread, Verizon, Facebook and recent
vulnerability disclosures at the United States Postal Service (USPS)
and Google+.

These attacks not only have compliance implications that cost
organizations millions in fines but can also damage reputation and
cause loss of customer confidence. As a result of a 2018 breach at
Facebook, the company faces up to $1.63 billion in fines under GDPR.

Data exfiltration is not the only goal for attacks.  Denial of Service
(DoS) can also be the motivation for an attacker who wants to impact
the availability of a target application.  Unlike a Distributed Denial
of Service (DDoS) attack that require high levels of sophistication
and coordination, a single attacker can overwhelm  an application with
a subtly crafted API call. As with exfiltration, downtime due to DoS
attacks can result in loss of customers’ confidence and loss of
revenue.

3. API security requires a layered approach
APIs are no different from the other infrastructure that you’re tasked
with protecting.  There is no single solution that will provide you
with comprehensive protection.  Traditional solutions like a Web
Application Firewall (WAF) and newer solutions like Runtime
Applications Self-protection (RASP) are commonly used in conjunction
with more proactive penetration testing and bug bounty programs.  With
the increase in API-focused attacks, a new class of  API protection
solutions have also come to market that help to protect organizations
from these new threats.

4. Signature-based solutions offer only partial protection
WAF and RASP solutions work based on known attack vectors that can be
predicted and fingerprinted.  While these solutions provide good
protection from known attacks, the attackers are evolving,
increasingly moving away from these common, easily identified attacks.
Since many traditional solutions lack granular knowledge of  APIs,
modern attacks often go unnoticed until it’s too late.

5. API attacks target your unique API logic
Your organization is unique and so are the APIs and the applications
that use them.  Today’s attacks target this unique logic.  Also take
into consideration that in this day and age with CI/CD development
practices your APIs are constantly changing and evolving.  This makes
it even more difficult to defend your APIs.  An API protection
solution needs to not only understand the uniqueness of your APIs but
also has to be aware of any updates or changes that are made.

Because APIs are unique, dynamic and undergo constant changes,
organizations must look beyond security solutions that require manual
configuration and signature updates. With the number of APIs for a
single organization numbering in the hundreds, it’s important to find
an approach can efficiently and effectively monitor and defend this
complex web of logic, connectivity and exposure. There is no single
solution that can keep modern organizations safe, but a layered
security approach that incorporates granular API monitoring and
protection will go a long way towards closing vulnerabilities and
preventing API attacks that have become increasingly common in our
connected world.