Fireside Chat: A New Strategy for Reducing API Risk

Watch On-Demand

Why Salt API Security?

Only Salt delivers the adaptive intelligence you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage, an API data lake, and ML/AI-driven analysis to provide that adaptive intelligence. We catalog all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve your API security posture.

APIs are a top target

APIs are built expressly to share a company's most valuable data and services. That makes them a lucrative target for bad actors. We've already hit the tipping point – APIs are now THE way in.

Then...

...and now

By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.

20 November 2017
“Predicts 2018: Infrastructure Protection”
- Strategic Planning Assumption

As 2022 approaches, this prediction could arguably be counted as “missed” – but only because we underestimated the steep rise in attacks on APIs.

06 December 2021
“Predicts 2022: APIs Demand Improved
Security and Management"

Attacks have changed – and they’re easy to miss

Bad actors now target business logic vulnerabilities in your APIs. But since your APIs are unique, it takes them days, weeks, or even months to probe and learn your APIs. They use “low and slow” techniques that WAFs, gateways, and other traditional tools can't detect, leaving you vulnerable.

Past:
One and done

Single step, targeting known vulns (SQLi, XSS), over seconds to minutes
Formulaic attacks, preset

Today:
Low and slow

Multiple steps (look legit), targeting business logic gaps, over days to weeks
Custom attacks, based on recon

Everyone says they do API security

Legacy and adjacent tools are trying to pivot
To remain relevant, get into a hot space, or grow their reach, vendors of all stripes are claiming they do API security. You've got the tough job of sorting through all the noise – you need to get clear on what API security really is and the architecture needed to do it right.

Learn why WAFs and gateways fall short

Why WAFs and gateways fall short

Gateways weren’t built for security
IT teams leverage API gateways to publish and update APIs, monitor their usage, facilitate reuse, and enforce schema consistency. But gateways have no ability to monitor API traffic and cannot see the indicators of API manipulation in runtime. That’s why all the gateway vendors partner with Salt for runtime protection.

WAFs can’t see business logic attacks
WAFs, using technology developed 20 years ago, apply rules to protect web apps from yesterday’s attacks, like SQL injections and cross-site scripting. WAFs allow or deny per transaction – they have no ability to stitch together activity over time, so they can’t see today’s API attacks. That’s why, despite the prevalence of WAFs, we see headlines every month of a new company suffering an API breach.

API attacks don’t follow patterns
Every API vulnerability is a zero-day vulnerability, because every company’s APIs are unique and so are their security gaps. Bad actors have to poke and prod to learn your APIs and find mistakes in business logic they can exploit. The only way to catch these attacks is with context – deep behavioral analysis over time. That’s why API security is a whole new category of product needed in your arsenal.

Video: Real-world API Attacks: What your WAF is missing
This comparison shows what API attacks a WAF can spot vs. Salt. We use Postman to launch a combination of more traditional (SQLi, XSS) attacks vs. more sophisticated API attacks. The WAF only has pre-set rules to follow – that’s why it allows the API attack traffic through, whereas Salt spots and blocks the attacks.

Salt Security

Tools like WAFs and API gateways don't have any context for what's happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.

Curtis Simpson, CISO

Many purpose-built API security tools also have gaps

Code Instrumentation

  • Leaves security in developers’ hands
  • Relies on laborious and slow coding, and developers resist “other” code
  • Protects only new APIs or requires retooling of APIs already in production
  • Fails to provide dynamic discovery of APIs or sensitive data

OAS/Swagger Analysis

  • Relies on documentation, which is rarely current or perfect
  • Fails to provide dynamic discovery of APIs or sensitive data
  • Protects only new APIs
  • Limits runtime protection to enforcing on API schema – positive security is notoriously risky

On-prem Architecture

  • Provides behavioral analysis for only hours’ worth of traffic, missing most “in the wild” attacks (a cloud option from this type of provider will have the same deficit – no one builds two architectures)
  • Lacks edge processing, increasing cloud costs significantly as full API traffic is sent to cloud back end
  • Increases false positives and slows incident response, given limited data

Effective API security depends on adaptive intelligence

What sets Salt apart is the ability to analyze your API traffic over days, weeks, and even months, applying cloud scale and mature algorithms to deeply understand your API traffic.

We see more than anyone else, so we stop more attacks than anyone else.

You get:
Better discovery – with smart aggregation of APIs vs. a long list of duplicated endpoints

Better threat protection
– with insights spanning months of API usage patterns to spot and stop more attack attempts

Better API hardening
– with detailed remediation guidelines based on attackers' minor successful exploits

Salt – Securing your innovation

API Protection Platform layers: API monitoring, to Discover and Protect, to Fix.

The OWASP API Top 10 – a starting point

Understanding that attacks themselves are different when APIs are the target is an important starting point for learning how to defend against them. The game has changed – these attacks are rooted in finding business logic flaws, and most solutions aren't up to the task.

How the Salt Security platform works

Learn more

Download this guide to see how you can reduce API security gaps

Learn everything you need to know to keep your APIs secure

Get the guide
Close
Back