By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications."
As 2022 approaches, this prediction could arguably be counted as “missed” — but only because we underestimated the steep rise in attacks on APIs.”
APIs fuel digital transformation and are essential components of business-critical, customer-facing applications, development environments, and partner-facing services. APIs today expose application business logic and more sensitive data than ever. Attackers have taken notice, and in recent years, APIs have become the primary target for their efforts.
From eliminating API vulnerabilities during the build phase to automated discovery of new and changed APIs to identifying and stopping attackers in runtime, you need to continuously protect and harden your APIs. Ensure protection across REST, GraphQL, SOAP, and other API types.
Bad actors targeting APIs have moved beyond traditional “one-and-done” attacks such as SQLi and XSS. Their focus now is on finding vulnerabilities in the business logic of APIs. Your APIs are unique, so the attacks have to be as well. It takes attackers days, weeks, or even months to probe and learn your APIs, and they use “low-and-slow” techniques that stay under the radar of traditional security tools.
Detecting low-and-slow attack activity that targets an API’s unique vulnerabilities depends on having context. Building that context requires deep analysis of massive amounts of API traffic. This kind of advanced protection must have a rich baseline of normal behavior for every API and user so that the system can spot anomalies quickly and correlate activity over time to build a fingerprint for each bad actor.
Traditional tools, typically built on a proxy architecture, are not able to analyze activity over time – they see each transaction in isolation and apply pattern matching using signatures and rules to block known attacks. No matter what functionality they gain over time, they will never have the context needed to piece together the subtle malicious activity of someone attacking an API, so they’ll never be able to stop API attacks.
Salt protects the APIs at the core of every modern application with security across the full API lifecycle. Our advantages derive from our cloud-scale big data engine powered by our patented and time-tested AI and ML algorithms -- together, they form the core of our API Context Engine (ACE) Architecture.
We scan and test your REST, GraphQL, and other APIs while they're still in development. In runtime, we cover all your application environments, getting a copy of your API traffic. We store hundreds of attributes about thousands of APIs and thousands of users over time. We baseline your environment and use AI and ML to pinpoint anomalies.
The Salt platform automatically discovers all your APIs and exposed sensitive data, pinpoints and blocks attackers, and tests and scans your APIs during the build phase and provides remediation insights learned in runtime so your dev teams can improve your API security posture.
We support more than 50 options to collect all your REST, GraphQL, and other API traffic and dynamically build a full inventory, including new and changed APIs. We connect to your systems with no agents, and we require no app or network changes and no configuration or tuning.
Every one of your APIs is unique. Salt applies ML and AI in our big data engine to baseline your APIs and isolate anomalous behavior, differentiating between changes to APIs and malicious activity. By applying the context we learn, we can avoid false positives.
Salt combines our complete coverage and big data engine to scan and test APIs during build, discover all your APIs and the sensitive data they expose, find and stop attackers, and capture insights in pre-prod and runtime for development teams to improve your API security posture.
Tools like WAFs and API gateways don't have any context for what's happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.
WAFs and API gateways detect attacks that leverage known vulnerabilities (think SQLi, XSS). They see traffic one transaction at a time, in isolation. API attacks are different – they target vulnerabilities in your business logic, and bad actors must probe your APIs to discover these zero-day vulnerabilities. To find and stop API attacks requires context, over time – WAFs and API gateways simply don’t have this context (think a single frame vs. a movie).
The OWASP API Security Top 10 catalogs the most common API attacks. Salt knows what every user did an hour ago, a day ago, a week ago – and we have a baseline of what’s normal for your APIs. We use this context to find and stop API attacks.
In this demonstration, we use Postman to launch a combination of more traditional (SQLi, XSS) and more sophisticated API attacks. The video demonstrates the difference between what a WAF can identify and block vs. the attacks the Salt platform is able to prevent.