APIs are everywhere, and they are ripe targets for malicious attacks

By Ameya Talwalker, Co-founder and CPO, Cequence Security

Earlier this year I wrote a blog about key trends in application security. One of those trends – the explosion of APIs and endpoints– has come to fruition. In conjunction with the explosive use of APIs, bad actors are now using to execute a wide range of attacks.

The result – the API security market is crowded with new offerings from startups to large security vendors, all claiming they have API security. To us, API security is nothing new – we’ve watched for years as bad actors execute automated attacks against our customer’s APIs supporting mobile login or web form registration or login applications. But it’s clear from my customer conversations that while API security is top of mind, the topic itself is vague, leading to indecision as to what they are looking for. Yet, their application teams are deploying API based applications at a faster rate than ever. Given the confusion around API security and the fact that we have been protecting APIs from day one, I thought I would share my perspective on API security.

API Security: Why the Hype?

The API explosion is driven by several business factors. Enterprises are moving away from large monolithic apps that are updated annually at best. Legacy applications are being broken into smaller independently functional components, oftentimes, rolling them out as container-based microservices. These application components and microservices work together to deliver the same functionality as the monolithic applications.

Key API Growth Drivers:

  • The rapid adoption of iterative development methodologies (DevOps, DevSecOps, Agile, etc.) enable teams to quickly push incremental changes to application components directly to customers instead of following the long development and quality assurance cycles of legacy applications. The result is increased competitive differentiation and customer satisfaction.
  • The ability to scale up and down to handle seasonality-based demand leads to more efficient infrastructure use and associated cost savings.
  • Technology adoption trends such as public/private cloud adoption, containers, and orchestration (Kubernetes), management frameworks (Istio) make it easier to develop and deploy API based microservices at scale.
  • Partner ecosystem expansion, enabled by API based microservices that partners, aggregators, suppliers, and 3rd party developers use to grow their business without replicating functionality. These APIs are well documented and publicly available – as evidenced by the directory of more than 23,000 APIs here found on programmableweb.com

The adoption of APIs is great for business but it’s a nightmare for security professionals. The same understaffed security team tasked with protecting a handful of applications is now suddenly responsible for protecting hundreds if not thousands of public-facing APIs from a range of security risks. Therefore, API Security is top of mind for most CISOs.

API Security Requirements

Based on our recent customer conversations, here are the five problems security teams are trying to solve when it comes to API Security.

  1. Visibility: The old adage of Knowledge is Power is appropriate when it comes to API visibility. Customers are concerned with the lack of visibility into which APIs are published, how and when they are updated, who is accessing them, and how are they being accessed. Understanding the full scope of your API usage is the first step towards securing them.
  2. Access Control: Oftentimes, API access is loosely is controlled which can lead to unwanted exposure. Ensuring the right set of users has the right set of access permissions for each API is a critical security requirement often addressed through Identity and Access Management.
  3. Traffic Management: Bot traffic is here to stay. In some customer environments, as much as 90% of their traffic is automated – both good and bad – traffic. Understanding the traffic profile and controlling good bots while preventing bad ones that may lead to network and application layer DDoS attacks, implementing IP policies (whitelist, blacklists, and rate-limits) and geofencing specific to use-cases and corresponding API endpoints.
  4. Threat Prevention: APIs simplify the process of an attack by eliminating the web form or the mobile app itself, allowing a bad actor to easily execute their attacks. Protecting API endpoints from automated bot attacks, business logic abuse, and vulnerability exploits is a key API security requirement.
  5. Data Security: Preventing data loss overexposed APIs, either due to programming errors or security control gaps, for appropriately privileged users or otherwise is a critical API security requirement.

Alternative Approaches to API Security

Researching API security will show that there are four distinct solution groups, each addressing specific challenges.

  • API Gateways: the most mature and heavily populated category, these solutions focus heavily on visibility and control.
  • API Security: largely populated with startups that find your APIs and protect them from vulnerabilities or data leakage.
  • Web Application Firewalls: apply traditional web-based vulnerability exploit protection to APIs.
  • First Generation Bot Mitigation vendors: prevent automated attacks against web and mobile apps using JavaScript instrumentation and mobile SDKs to collect attack telemetry. Adding API security as an afterthought through a variety of approaches.

None of these solutions solve all five of the requirements outlined above. In many cases, customers will use multiple offerings from the mix of API security providers.

How Cequence Security Addresses API Security

When we talk about API security, it is with a focus on automated bot attacks that can be executed against an API as easily as they can against a web form. The same flexibility and efficiency benefits that APIs bring to the application development team are leveraged by bad actors to execute automated attacks. Cequence Security addresses three of the five requirements listed above and we are working to address the remaining requirements soon.

  • Visibility: Our agentless, intelligence-based approach allows us to continuously monitor and build a site-map of all the APIs in use including those accessed by users, partners, aggregators, IoT devices, etc. Since we are typically deployed at a choke-point in the application layer, we can see and aggregate data across the entire API fabric and give a unified and real-time view of API usage to security teams. That enables them to decide the security posture for the entire API fabric. New APIs and periodic updates are automatically discovered, without injecting security delays into the development lifecycle. For example, we were able to alert the security team at a large retailer about a new version of an existing API application being rolled out and live, which the security team was completely unaware of.
  • Traffic Management: CQ both defense and CQ app firewall combine to provide high precision traffic management based on the visibility generated by CQAI. Driven through policies, we can enforce a positive security model that precisely allows what you want and while denying all else. As the application fabric scales based on seasonal demands, we also scale with the fabric to provide continuous protection. For example, a regional bank in the US was experiencing a burst of OFX (Open Financial Exchange) transactions from east Asia, where they have virtually no customers. With the Cequence Security solution, they were able to divert those potentially fraudulent transactions from east Asia to an alternate server, while not impacting legitimate transactions.
  • Threat Prevention: APIs are subject to the same set of threats that can be executed against web applications – automated business logic abuse and vulnerability exploits. Business logic abuse at scale can be driven through large automated or human bot farms, leading up to fraud and financial loss. For example, immediately following the disclosure by Facebook that they had leaked close to 50 million OAUTH tokens used for Facebook logins on other platforms, one of our social media customers experienced a high-volume credential stuffing attack on their Facebook login application API. We were able to thwart that attack with CQ bot defense.

Public API documentation makes it easier to target API-based applications when compared to traditional web applications that require a certain level of analysis along with trial and error. Just like a web application, APIs are subject to application vulnerability exploits to gain unauthorized access, steal sensitive data and launch even more damaging attacks. Our CQ bot defense solution protects APIs from automated business logic abuse. Our CQ app firewall prevents these APIs from being exploited by motivated and well-resourced attackers.

API Security is “trending” now and it can be confusing. We are helping enterprise security teams navigate a path towards securing their API applications while not standing in the way of rapid development and deployment cycles. Look for more exciting announcements in this space from us in 2020.

About the Author

Over the last 10 years, Ameya Talwalkar has built strong engineering teams specializing in enterprise and consumer security in Silicon Valley, Los Angeles, Madrid, Pune, and Chengdu. Before co-founding Cequence Security, he was Director of Engineering at Symantec. He was responsible for its anti-malware software stack that leverages network Intrusion prevention and behavior and reputation technologies, and anti-virus engines. Under his leadership, Symantec developed an advanced version of network intrusion prevention technology that blocks more than two billion threats a year. Prior to Symantec, Ameya worked in various engineering roles at Valicert, focused on PKI-based security solutions for finance and government. He led the first commercial implementation of RFC 5055 and contributed to its progress at IETF. Ameya holds a Bachelor of Engineering in Electrical Engineering from the University of Mumbai’s Sardar Patel College of Engineering (SPCE).  Ameya can be reached on LinkedIn at https://www.linkedin.com/in/ameya-talwalkar-910b8/