APIs have dramatically altered the application attack surface, so lots of organizations and security teams are now focused on API security. As part of our continuing mission here at Salt to educate the broader industry, our technical evangelist, Michael Isbitski, put pen to paper (well, OK, fingers to keyboard) to provide a comprehensive overview of the challenges and best practices in API security.
In this “API Security for Dummies” eBook, Michael takes care to bring everyone – from novices to very technical app sec professionals – along on the journey of understanding APIs themselves, how attacks are different from application attacks, why APIs make such attractive targets, and how organizations can better protect themselves from the sophisticated bad actors focused on hacking or abusing APIs. To craft this educational tome, Michael draws on his five years of helping 1000s of Gartner clients implement application security as well as his decades of hands-on experience running application security teams.
With Gartner having recently updated its security reference architecture to create a separate pillar for API security – distinct from WAFs, Web Application and API Protection, and API gateways – the industry is increasing its understanding that APIs spawn unique attacks and need unique protections. Companies are using more APIs than ever, those APIs are more functional than ever, and teams are updating them more frequently than ever – so the attack surface is much bigger and always changing. The old tools simply cannot protect you, because they can’t detect the probing and reconnaissance activities of bad actors who have to learn your APIs so they can understand how to attack them.
It’s important to understand this limitation isn’t temporary. WAFs and APIs gateways are architecturally constrained – they can see transactions only one at a time and apply pre-set rules and signatures to determine whether to allow or block a given transaction. They’ll never be able to gather and correlate the activity across all APIs and users, over time, to detect an API attack.
Michael’s guide provides the critical insights you need to educate yourself and your organization as to how and why the world has changed, and why additional protections are needed. Everyone – dummy and smarty alike – will benefit from the explanations he provides on:
Michael’s “API Security for Dummies” book wraps with 10 steps you can follow to improve your API security – the kind of practical advice you can put to use today.
The whole point of using APIs is to share valuable data and interconnect services – it’s what they’re built to do. So it’s no surprise that APIs are now the top application attack vector. If your organization is applying yesterday’s protections and hoping they’ll protect against today’s attacks, they’re just waiting to be the next headline. Use this Dummies guide to bring intelligence to your API security strategy.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.