APIs: Threat prevention as important as detection

Application developers have made one thing clear in recent years: APIs are now the tool of choice for efficiently creating fully-featured apps across web and mobile platforms. Businesses are now trusting APIs to exchange information, including sensitive data such as payment details and account login credentials.

This preference for APIs, in turn, has brought a new class of cyber threats. Unless your organization is ready to pay close attention to its API environment and defend against the latest advanced threats, you may find your APIs have become a preferred attack target, with new security risks emerging all the time.

The primary way to keep data as safe as possible involves unified API protection, meaning your organization is able to discover its potential attack surface, detect real-time threats and prevent those threats natively, and in real-time. It’s important to not overlook that third step, prevention, especially because some API security products stop short of actually offering countermeasures.

Why is API threat prevention so important?

API threat prevention is such a high priority because of the dire consequences that can result when organizations don’t have adequate defenses in place. Common API-related attacks, such as system compromise due to weak authentication, account takeovers and sensitive data exfiltration can lead to regulatory fines, reputation damage and major monetary losses.

APIs have become popular with both developers and threat actors:

● Of the 21.1 billion application requests measured in the second half of 2021, over two-thirds, 14.4 billion, were API-based.

● Four-fifths of all blocked traffic during the same time period was also API-based.

With APIs powering so many applications and also attracting so much attention from attackers, it’s vitally important for every company to have a threat prevention strategy in place specifically focusing on API attacks.

As common API vulnerability types and risk factors IT security teams can expect to deal with, the Open Web Application Security Project (OWASP) API Security Top 10 list provides a useful primer. The two most popular threats on the list involve threat actors using broken access control features to break into systems. At No. 3 on the list is inadvertent sensitive data exposure due to cryptographic failures. Each of these risks is more often than not the result of coding errors on the back end.

Other issues highlighted by OWASP include misconfigured security features, authentication problems, outdated components and design flaws. With attackers targeting so many aspects of APIs and the applications they power, it’s essential for IT security departments to have comprehensive threat prevention tools in place.

What are the best practices of API threat prevention?

Threat prevention encompasses a few different potential responses to harmful traffic. As soon as an organization detects an attack targeting its APIs, the security solution should counter the incoming traffic with the appropriate action. This could involve:

Blocking the source of the attack.

Rate limiting access to the company’s APIs.

Geo-fencing to block access from certain regions or addresses.

Deception, which makes the attack appear successful.

This response should involve a heavy automation component, to prevent the delays and labor associated with manual processes. Rather than having to formulate a threat prevention response for each instance of malicious activity, an IT security team can trust that customized or default rules and machine learning models will identify the attack and provide the appropriate response.

A well-configured rules and ML engine can not only ensure every attack is met with the correct response, but it can also prevent false positives, in which legitimate API traffic is blocked. This is an important consideration because so much of a given organization’s data interchange will occur via APIs and attackers are adept at making their malicious actions appear legitimate. It’s important to keep the APIs running smoothly while also providing security.

How do you combine API threat detection with prevention?

Seamless integration is the key concept for providing a unified API threat prevention experience.

API threat prevention should also be closely integrated with API discovery and detection tools, ensuring that every risk factor and vulnerability identified by these solution elements receive a timely, appropriate and automated response. The only way to ensure a rapid response is to look for a solution that natively mitigates threats, without the need to rely on 3rd-party security tool integration.

API threat prevention tools that take advantage of this close integration can protect against both known threat types and emerging threats, as cataloged by the API discovery and detection solution components.

With advanced ML-based detection of API threats, it’s possible to tell the system to protect common theft targets such as credit card information and Social Security numbers, but also intellectual property or credentials relevant to their industries.What does Unified API Protection mean?

Unified API Protection goes beyond limited API security tools to address every phase of an organization’s API protection lifecycle.

● First, organizations must discover their entire API attack surface, using both outside-in and inside-out methods to see what attackers will see. This includes finding shadow APIs, deprecated and outdated components and more potential risk factors.

● Then, businesses need to employ real-time API threat detection methods to prevent all kinds of harmful traffic. Systems should be able to guard against both known threats and emerging threats, all according to customized rules.

● Finally, as discussed above, IT security teams require comprehensive API threat prevention tools. These must be capable of providing customized and automated responses based on the type of harmful traffic detected, whether that means blocking, limiting or even deceiving the attack.

Putting these API-focused advanced threat protection components together provides a more comprehensive approach to data defense than would be possible with a web of disconnected API security tools that only deal with parts of today’s varied threat environment.

Considering the overwhelming popularity of API-based development, it’s likely that your organization already maintains numerous APIs, with more to come over time. Protecting that potential attack surface is therefore a fundamental cybersecurity need.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...