API Security for Dummies

Read the eBook

Context-based security for all your APIs

Only Salt delivers the context you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage and an ML/AI-driven big data engine to provide that context to show you all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve API security posture.

APIs are a top target

APIs fuel digital transformation and are essential components of business-critical, customer-facing applications, development environments, and partner-facing services. APIs today expose application business logic and more sensitive data than ever. Attackers have taken notice, and in recent years, APIs have become the primary target for their efforts.

Attacks have changed

Bad actors targeting APIs have moved beyond traditional “one-and-done” attacks such as SQLi and XSS. Their focus now is on finding vulnerabilities in the business logic of APIs. Your APIs are unique, so the attacks have to be as well. It takes attackers days, weeks, or even months to probe and learn your APIs, and they use “low-and-slow” techniques that stay under the radar of traditional security tools.

You need context to prevent API attacks

Detecting low-and-slow attack activity that targets an API’s unique vulnerabilities depends on having context. Building that context requires deep analysis of massive amounts of API traffic. This kind of advanced protection must have a rich baseline of normal behavior for every API and user so that the system can spot anomalies quickly and correlate activity over time to build a fingerprint for each bad actor.

See all your APIsSee all your APIs

Traditional tools will never have context

Traditional tools, typically built on a proxy architecture, are not able to analyze activity over time – they see each transaction in isolation and apply pattern matching using signatures and rules to block known attacks. No matter what functionality they gain over time, they will never have the context needed to piece together the subtle malicious activity of someone attacking an API, so they’ll never be able to stop API attacks.

Salt - the new approach to API security

Salt protects the APIs at the core of every modern application with security across the full API lifecycle. Our advantages derive from our big data engine powered by our time-tested, patented AI and ML algorithms that form our API Context Engine (ACE) Architecture to protect your APIs with coverage for all your app environments.

We receive a copy of all API traffic, and with big data, we store hundreds of attributes about thousands of APIs and thousands of users over time. API traffic is continuously analyzed using AI and ML to automatically discover all your APIs and exposed sensitive data, establish context to pinpoint and block attackers, and provide remediation insights for dev teams to improve security.

The Salt architectural advantage

Complete coverage

We support more than 50 options to collect all your API traffic and dynamically build a full inventory of every API. We deploy with no app or network changes and require no configuration or tuning.

+

AI-powered big data engine

Every one of your APIs is unique. Salt applies ML and AI in our big data engine to baseline your APIs and isolate anomalous behavior, differentiating between changes to APIs and malicious activity. By applying the context we learn, we can avoid false positives.

=

Context-based analysis

Salt combines our complete coverage and big data engine to discover all your APIs, see the sensitive data they expose, find and stop attackers, and capture insights for development teams to improve your API security posture.

Salt is the leader in API security

Most mature solution – 4+ year head start
Patented big data architecture
Simplest deployment
Most customers

Tools like WAFs and API gateways don't have any context for what's happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.

Curtis Simpson, CISO

Why WAFs and API Gateways can't protect you

WAFs and API gateways detect attacks that leverage known vulnerabilities (think SQLi, XSS). They see traffic one transaction at a time, in isolation. API attacks are different – they target vulnerabilities in your business logic, and bad actors must probe your APIs to discover these zero-day vulnerabilities. To find and stop API attacks requires context, over time – WAFs and API gateways simply don’t have this context (think a single frame vs. a movie).

The OWASP API Security Top 10 catalogs the most common API attacks. Salt knows what every user did an hour ago, a day ago, a week ago – and we have a baseline of what’s normal for your APIs. We use this context to find and stop API attacks.

API Security Top 10 Threats

WAFs

API Gateways

A1:2019 - Broken Object Level Authorization

A2:2019 - Broken Authentication

A3:2019 - Excessive Data Exposure

A4:2019 - Lack of Resources & RateLimiting

A5:2019 - Broken Function Level Authorization

A6:2019 - Mass Assignment

A7:2019 - Security Misconfiguration

A8:2019 - Injection

A9:2019 - Improper Assets Management

A10:2019 - Insufficient Logging &Monitoring

How the Salt Security platform works

Learn More