APIs have dramatically altered the application attack surface, so lots of organizations and security teams are now focused on API security. As part of our continuing mission here at Salt to educate the broader industry, our technical evangelist, Michael Isbitski, put pen to paper (well, OK, fingers to keyboard) to provide a comprehensive overview of the challenges and best practices in API security.
In this “API Security for Dummies” eBook, Michael takes care to bring everyone – from novices to very technical app sec professionals – along on the journey of understanding APIs themselves, how attacks are different from application attacks, why APIs make such attractive targets, and how organizations can better protect themselves from the sophisticated bad actors focused on hacking or abusing APIs. To craft this educational tome, Michael draws on his five years of helping 1000s of Gartner clients implement application security as well as his decades of hands-on experience running application security teams.
With Gartner having recently updated its security reference architecture to create a separate pillar for API security – distinct from WAFs, Web Application and API Protection, and API gateways – the industry is increasing its understanding that APIs spawn unique attacks and need unique protections. Companies are using more APIs than ever, those APIs are more functional than ever, and teams are updating them more frequently than ever – so the attack surface is much bigger and always changing. The old tools simply cannot protect you, because they can’t detect the probing and reconnaissance activities of bad actors who have to learn your APIs so they can understand how to attack them.
It’s important to understand this limitation isn’t temporary. WAFs and APIs gateways are architecturally constrained – they can see transactions only one at a time and apply pre-set rules and signatures to determine whether to allow or block a given transaction. They’ll never be able to gather and correlate the activity across all APIs and users, over time, to detect an API attack.
Michael’s guide provides the critical insights you need to educate yourself and your organization as to how and why the world has changed, and why additional protections are needed. Everyone – dummy and smarty alike – will benefit from the explanations he provides on:
Michael’s “API Security for Dummies” book wraps with 10 steps you can follow to improve your API security – the kind of practical advice you can put to use today.
The whole point of using APIs is to share valuable data and interconnect services – it’s what they’re built to do. So it’s no surprise that APIs are now the top application attack vector. If your organization is applying yesterday’s protections and hoping they’ll protect against today’s attacks, they’re just waiting to be the next headline. Use this Dummies guide to bring intelligence to your API security strategy.
The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.