Better Together: Stopping API Attacks with Salt and AWS WAF

APIs power today’s digital economy and enable organizations to succeed in their business innovation efforts. Because every company’s APIs are unique, so are its security gaps, which bad actors will inevitably try to exploit. Only through rich context and deep behavioral analysis can these attackers be stopped.

Many of the APIs that enable today’s applications and business services live and breathe within the Amazon Web Service (AWS) ecosystem. That’s why Salt has expanded its existing relationship with AWS to achieve AWS WAF Ready designation and ensure that our API protection technology integrates seamlessly with AWS WAF to help organizations build stronger API security strategies.

Shortly after Salt become an AWS Ready Partner, Nick Rago, Field CTO at Salt, was joined by Matthew McCarty, Senior Security Consultant at AWS, and Sanchith Kandaka, Senior Edge Specialist Solutions Architect at AWS, for a live webinar to discuss how the Salt API Security Platform and AWS WAF work together to create a best-in-breed API security solution.

Why is API security a team sport?

API security is a strategy, not a single tool or type of technology. It requires a multidisciplinary approach that recognizes and uses different technologies that all play a role in reducing risk for today’s complex API ecosystem. API gateways, WAFs, SIEM tools, and API posture behavior technology are key tools that are part of today’s security stacks, and companies look for the right capabilities in each of them to effectively protect their APIs.

WAFs, or web application firewalls, are one of the first things organizations think of when building their line of defense against today’s API attackers, and for good reason. They are an important frontline defense against common, pattern-based attack types, such as Denial of Service (DDoS), application vulnerability exploitation, or bot-induced threats.

The AWS WAF threat mitigation capabilities can help protect against common web exploits that may affect service availability, compromise security or consume excessive resources. Although its capabilities are crucial in mitigating cyber risk for businesses, when it comes to API security, WAF rules deal with a static workflow and can’t provide enough context into what a given application or user is doing against a specific API. That’s where a dedicated API security solution can help.

APIs present new application layer security challenges that WAFs are not architected to flush out and protect from:

• API Sprawl – You can’t protect what you can’t see. Today’s organizations are struggling to know where all their APIs are, document them, or even know what API traffic is going through their WAF. With multiple development teams building APIs within the same organization, the issue of control and visibility is a pressing one that can get in the way of an effective API security strategy. If you add the widespread use of third-party APIs and the fact that the API surface is constantly changing into the mix, it’s easy to see that having visibility and control over all APIs has become a massive challenge for companies of all shapes and sizes.
• API attacks are different – API attacks have changed in recent years. Bad actors are no longer sticking to predictable, pattern-based attacks like code execution or SQL injection, but instead are taking weeks and even months to prod and poke for business logic flaws that they can exploit to affect services or exfiltrate data. The problem is there’s no signature to this type of attack, so essentially every vulnerability represents its own zero-day attack and often looks like a legitimate transaction that is hard to detect.
• Testing limitations – The key problem organizations are facing when it comes to testing is that automated testing tools can’t often detect business logic-based attacks. With over a third of APIs (37%) being updated weekly, according to the Salt Labs Q1 2023 State of API Security Report, pen testers also can’t keep up with the low-level tests that would be required to spot unique business logic vulnerabilities in each production API. Organizations effectively need to assume that some API vulnerabilities in production are unavoidable, meaning only runtime detection can stop attackers in their tracks.

Only an API security solution that can provide continuous discovery capabilities, runtime threat detection powered by time-tested AI and ML technology that can provide rich context into each API, and remediation insights that can be fed into development teams to help harden production APIs can help companies overcome these challenges and complement WAFs’ pattern-based threat detection capabilities.

How Salt and AWS WAF work together to protect APIs

When it comes to securing APIs effectively, we know that a multi-tool strategy that integrates WAF and API security intelligence can deliver a more robust outcome. That’s why Salt went through the AWS Ready program to ensure that the Salt API Protection Platform can integrate seamlessly with AWS WAF to stop today’s API attacks with their combined capabilities.

• Discovery - Bringing AWS WAF and Salt technology together at the API discovery stage helps companies answer a common and pressing question: how do I know that the traffic that should be going through the WAF is actually going through the WAF? By creating an automated and continuous API inventory of a company’s APIs, Salt can help AWS customers keep track of what’s going through the AWS WAF as the first line of defense against API threats. Additionally, Salt allows organizations to write dynamic rules based on the discovery findings enabling teams to make any necessary changes as well as integrate with other AWS components, such as the Amazon API Gateway.
• Threat protection - The Salt platform’s API protection capabilities powered by AI and ML learning are sophisticated enough to identify when a malicious user is conducting reconnaissance activities against an API or if there’s an active attack campaign in progress at a business logic level that is getting through the WAF. The Salt/AWS WAF integration allows organizations to send a block command with context directly to AWS WAF and thwart the threat before the attacker is successful.
• Remediation insights – Once the Salt API Protection Platform learns API vulnerabilities from activity analyzed in production, it will identify the actions required to fix that vulnerability. You can use these remediation insights to write business logic rules that can be placed into the AWS WAF. The integration also provides the information needed for security teams to virtual patch the threat and mitigate the risk it poses until the development team has the time to fix the root issue.

Seamless integration for stronger API security

By becoming an AWS WAF Ready Partner, Salt can now help AWS WAF customers worldwide to accelerate the adoption of a holistic API security approach.

The Salt Security API Protection Platform deploys out of band to avoid interference with application performance or availability. Salt offers AWS WAF users a seamless integration that pairs the two technologies to strengthen their discovery, threat detection, and remediation capabilities.

Watch the joint webinar where Salt Security and AWS specialists had an in-depth conversation about how the Salt API security platform and AWS WAF create a best-of-breed solution that provides the context needed to identify and stop API attackers.

To learn more about how can help protect the APIs that power your critical services and data, sign up for a personalized demo.