The changes to APIs in recent years have had a significant impact on security. APIs are being used more than ever by companies of all sizes and in all industries across the globe. APIs are increasingly exposing sensitive data to power new use cases, and they’re constantly changing to fuel the need for rapid innovation. These changes to APIs create new challenges for security teams who need to rethink the strategies and tools they use to protect critical services and data.
These three concerns should be top of mind for any security professional tasked with protecting APIs.
The first challenge for anything in security is to understand what it is that you need to protect. Comprehensive visibility of the attack surface provides the foundation to framing security strategies and aligning solutions, and this need is no different for API security.
Two aspects make visibility into APIs more challenging: the growing number of APIs in an environment, and the rate of change for those APIs. Most organizations have hundreds if not thousands of APIs, and they’re changing frequently, giving rise to an extremely large, ever-changing attack surface.
It’s not enough to know that you have an API. You also need to know the details of that API and the data it exposes. Details include knowing the endpoints that are part of that API, what they should and should not do, who or what should have access to the API, and what if any sensitive data each API exposes. To add to the complexity, applications often comprise multiple APIs, each with its own logic. Add to these factors the frequent updates and it’s easy to understand the challenge of achieving and maintaining comprehensive visibility of the API attack surface.
Most organizations don’t have a good handle on their API attack surface, with many unknown APIs (aka Shadow APIs) and unknown exposure of sensitive data like personally identifiable information (PII). Many organizations try to have developers manually create a catalog of all APIs, but since APIs are constantly changing, those manual catalogs quickly go out of sync. Automation is the only real way to address the scale, rate of change, and granular details needed to protect APIs.
Today’s APIs expose more sensitive data than ever, and attackers are increasingly targeting APIs, looking for vulnerabilities and pathways to that data. Security teams need a way to detect attackers early and stop them before they are successful. A big challenge with APIs is that they are unique in every organization and therefore have unique vulnerabilities. Traditional tools such as WAFs and API gateways simply don’t provide the right level of protection. These traditional tools are based on proxy architectures and are limited to analyzing API traffic at the transaction level and lack the needed context to identify sophisticated API attacks.
API attacks are low and slow as attackers spend time to map the API structure, understand the logic, and look for vulnerabilities to exploit. Traditional tools miss this kind of subtle attacker activity, which requires analysis of large amounts of data to detect bad actors early in their efforts.
Another strike against proxy-based tools is that they depend on signatures and can stop only known attacks. But you can’t create a signature for an unknown vulnerability. Even configuring a security tool to customize it for the environment is not enough. Most organizations, regardless of size, have complex API environments, so manually creating policies is not practical. The rapidly changing nature of APIs requires continuous upkeep of security policies, a process that risks lagging behind API updates and leaving gaps that attackers can exploit.
Many traditional tools are also notorious for false positives, because they analyze activity in isolation at the transaction level and alert on any anomalous activity. Lacking context, these tools cannot distinguish between a benign anomaly and a truly malicious API call that is part of an attacker’s larger reconnaissance effort.
Organizations must shift from proxy-based tools that depend on signatures and require configuration upkeep to solutions that continuously gather and analyze API activity. By capturing and understanding large amounts of data, these solutions gain the context needed to connect the dots across multiple subtle activities of an attacker. The focus must move from transactions to attackers – this approach enables earlier attack detection and reduces the number of false positives, because alerts and triggers tie back to a user, not an individual transaction.
Security is not a “set it and forget it” exercise, especially when it comes to API-based applications. These environments are constantly changing and evolving with new applications and new capabilities. As the API environment changes, so does the attack surface. These changes create challenges for organizations to ensure their security tools and strategy continue to evolve to provide up-to-date protection. Security teams and developers need to work and continuously learn together to keep up with the latest threats and implement security best practices.
Organizations should work to identify vulnerabilities early in the development cycle, but inevitably, some vulnerabilities will make it to production. Protecting APIs at runtime and stopping attacks is crucial. The best way to improve the API security posture is to take learnings from attacks detected and stopped at runtime and use them to eliminate vulnerabilities – such an effort requires security and development teams to work together.
Security teams can provide developers with rich insights into vulnerabilities found in production APIs. Solutions that capture and analyze all production API activity can provide that insight with valuable context. Insights include details on the vulnerability found, how the attacker tried to manipulate it, how the application responded, and the context of what normal activity looks like for the targeted API. Insights can also include recommendations on how to best remediate the vulnerability. With this detail, security and development teams better understand the vulnerability and can work together to properly prioritize remediation efforts.
Salt Security has pioneered an API security architecture built on big data and artificial intelligence (AI). The patented solution captures and analyzes all API activity to provide automated discovery of APIs and ensure an up-to-date catalog and view of the API attack surface. By analyzing API traffic, the Salt platform can identify the subtle activity of attackers during reconnaissance and connect the dots of their activity to pinpoint and block them before attacks are successful. The platform also turns attacker efforts into remediation insights, helping security and development teams work together to eliminate vulnerabilities. Schedule a demo to learn more about how Salt can help you overcome the challenges of securing your APIs.
Like many other API breaches, the Optus security incident highlights the importance of dedicated API security.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.