APIs: Threat prevention as important as detection

Application developers have made one thing clear in recent years: APIs are now the tool of choice for efficiently creating fully-featured apps across web and mobile platforms. Businesses are now trusting APIs to exchange information, including sensitive data such as payment details and account login credentials.

This preference for APIs, in turn, has brought a new class of cyber threats. Unless your organization is ready to pay close attention to its API environment and defend against the latest advanced threats, you may find your APIs have become a preferred attack target, with new security risks emerging all the time.

The primary way to keep data as safe as possible involves unified API protection, meaning your organization is able to discover its potential attack surface, detect real-time threats and prevent those threats natively, and in real-time. It’s important to not overlook that third step, prevention, especially because some API security products stop short of actually offering countermeasures.

Why is API threat prevention so important?

API threat prevention is such a high priority because of the dire consequences that can result when organizations don’t have adequate defenses in place. Common API-related attacks, such as system compromise due to weak authentication, account takeovers and sensitive data exfiltration can lead to regulatory fines, reputation damage and major monetary losses.

APIs have become popular with both developers and threat actors:

● Of the 21.1 billion application requests measured in the second half of 2021, over two-thirds, 14.4 billion, were API-based.

● Four-fifths of all blocked traffic during the same time period was also API-based.

With APIs powering so many applications and also attracting so much attention from attackers, it’s vitally important for every company to have a threat prevention strategy in place specifically focusing on API attacks.

As common API vulnerability types and risk factors IT security teams can expect to deal with, the Open Web Application Security Project (OWASP) API Security Top 10 list provides a useful primer. The two most popular threats on the list involve threat actors using broken access control features to break into systems. At No. 3 on the list is inadvertent sensitive data exposure due to cryptographic failures. Each of these risks is more often than not the result of coding errors on the back end.

Other issues highlighted by OWASP include misconfigured security features, authentication problems, outdated components and design flaws. With attackers targeting so many aspects of APIs and the applications they power, it’s essential for IT security departments to have comprehensive threat prevention tools in place.

What are the best practices of API threat prevention?

Threat prevention encompasses a few different potential responses to harmful traffic. As soon as an organization detects an attack targeting its APIs, the security solution should counter the incoming traffic with the appropriate action. This could involve:

Blocking the source of the attack.

Rate limiting access to the company’s APIs.

Geo-fencing to block access from certain regions or addresses.

Deception, which makes the attack appear successful.

This response should involve a heavy automation component, to prevent the delays and labor associated with manual processes. Rather than having to formulate a threat prevention response for each instance of malicious activity, an IT security team can trust that customized or default rules and machine learning models will identify the attack and provide the appropriate response.

A well-configured rules and ML engine can not only ensure every attack is met with the correct response, but it can also prevent false positives, in which legitimate API traffic is blocked. This is an important consideration because so much of a given organization’s data interchange will occur via APIs and attackers are adept at making their malicious actions appear legitimate. It’s important to keep the APIs running smoothly while also providing security.

How do you combine API threat detection with prevention?

Seamless integration is the key concept for providing a unified API threat prevention experience.

API threat prevention should also be closely integrated with API discovery and detection tools, ensuring that every risk factor and vulnerability identified by these solution elements receive a timely, appropriate and automated response. The only way to ensure a rapid response is to look for a solution that natively mitigates threats, without the need to rely on 3rd-party security tool integration.

API threat prevention tools that take advantage of this close integration can protect against both known threat types and emerging threats, as cataloged by the API discovery and detection solution components.

With advanced ML-based detection of API threats, it’s possible to tell the system to protect common theft targets such as credit card information and Social Security numbers, but also intellectual property or credentials relevant to their industries.What does Unified API Protection mean?

Unified API Protection goes beyond limited API security tools to address every phase of an organization’s API protection lifecycle.

● First, organizations must discover their entire API attack surface, using both outside-in and inside-out methods to see what attackers will see. This includes finding shadow APIs, deprecated and outdated components and more potential risk factors.

● Then, businesses need to employ real-time API threat detection methods to prevent all kinds of harmful traffic. Systems should be able to guard against both known threats and emerging threats, all according to customized rules.

● Finally, as discussed above, IT security teams require comprehensive API threat prevention tools. These must be capable of providing customized and automated responses based on the type of harmful traffic detected, whether that means blocking, limiting or even deceiving the attack.

Putting these API-focused advanced threat protection components together provides a more comprehensive approach to data defense than would be possible with a web of disconnected API security tools that only deal with parts of today’s varied threat environment.

Considering the overwhelming popularity of API-based development, it’s likely that your organization already maintains numerous APIs, with more to come over time. Protecting that potential attack surface is therefore a fundamental cybersecurity need.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

Britain’s Uplevelling Plan

Amber Coster • 26th April 2022

Remote work could enable over 13 million Brits* to seize the opportunity to live and work outside the major cities, helping to spread economic opportunity across the UK, according to research released today by ClickUp, the all-in-one productivity platform.

The Heroes Of Technology

Steven Johnson • 26th April 2022

We tend to worship great business leaders, but there are thousands of innovators whose ideas — from tiny features to complicated algorithms — have made our lives easier, healthier, safer, and more convenient. Meet Hidden Heroes, a new publication designed to tell their stories and pay them the tribute they deserve.