Google released a preview version of a service called Advanced API Security aimed at helping organizations combat growing threats targeting application programming interfaces (APIs).
The goal of the service, based on the Apigee API management platform that Google acquired in 2016, is to make it easier to identify API proxies that do not meet security standards.
Twin core features of Advanced API Security include API misconfiguration identification and bot detection.
Identification of misconfigurations and bots
To identify API configuration errors, the platform regularly scans APIs and offers corrective actions that organizations can take if misconfiguration issues are found.
This can help reduce security risks to sensitive information; for example, patient information found in a health care provider’s APIs related to health coverage information.
“Because often sensitive personal healthcare data is transmitted, it is important that the required authentication and authorization policies are in place so that only authorized users, such as an insurance company, can access the API,” Vikas Ananda, Product Manager. on Google Cloud, he wrote in a blog post about the announcement.
API security teams can also use Advanced API Security’s preconfigured rules to identify malicious bots within API traffic.
“Each rule represents a different type of unusual traffic from a single IP address,” Ananda wrote. “If an API traffic pattern meets any of the rules, Advanced API Security reports it as a bot.”
This service is aimed at financial services institutions, which rely heavily on Google Cloud: Four of the top five US banks ranked by the Federal Reserve are already using Apigee, Google noted in the blog post.
The service is also designed to speed up the process of identifying data breaches by identifying bots that resulted in the HTTP 200 OK success status response code.
“Organizations across all regions and industries are developing APIs to enable easier and more standardized delivery of services and data for digital experiences,” Ananda wrote. “This ever-increasing shift to digital experiences has increased API usage and traffic volumes. However, as malicious API attacks have also grown, API security has become a major business risk battleground.”
Michelle McLean, vice president of product marketing for Salt Security, an API security provider, noted that whenever a major industry player highlights a critical and needed capability, the entire industry benefits.
“Too many companies remain complacent about the risk APIs create for their organizations, so having a leading API management platform like Apigee draws attention to the need to improve API security makes the entire industry more secure. smart,” he said.
McLean said that Google is always trying to catch up with AWS and Azure in the “cloud wars,” and has long focused on security as an area in which to differentiate itself.
“Apigee remained a very popular API management platform long before the Google acquisition, so it makes sense that Google would look to security as a way to increase the value of its API platform,” he said.
He added that stopping bots and identifying API misconfigurations are a good starting point, as both capabilities can leverage pre-set rules and known patterns to improve API security.
“However, these do not represent the greatest source of risk,” he said. “If you think about the major API security incidents of the last few years (Experian, Peloton, USPS, LinkedIn, and even Log4j), none of these would have been prevented by stopping bot attacks or misconfigurations.”
Business logic flaws are the real threat
McLean explained that most API attacks are based on identifying flaws in business logic, and these kinds of attacks don’t stop with preset rules or known patterns. He noted that APIs are an increasingly attractive target because they are designed to share valuable data and are currently poorly protected.
To attack APIs, bad actors look for gaps in business logic that they can exploit. Detecting this subtle probe when a bad actor learns a given company’s APIs is crucial to identifying and preventing attacks.
“To prevent this threat, enterprises must focus on runtime security measures that are dynamic, adaptive, and behavioral and can detect anomalies over days, weeks, and months,” he said. “Existing tools like web application firewalls (WAFs) and gateways can’t help here because they use pre-set rules and patterns to detect known threats.”
McLean pointed out that such known threats are not the biggest risk to API-driven businesses, but attacks on business logic. These require advanced algorithms that can identify the reconnaissance activities associated with finding those business logic flaws, McLean said.
Scott Gerlach, co-founder and CSO of StackHawk, an API security testing provider, said this release gives GCP users the ability to have a defense-in-depth strategy.
“Teams can use modern API security testing tools to make sure the APIs they’re releasing don’t have high-risk exploitable vulnerabilities and leverage Google’s advanced API security as a production fallback,” he said. “This is another big step in ensuring that legitimate users with legitimate use cases are the ones requesting data.”
He noted that steps like this are critical as the API security threat grows, pointing to Forrester’s recent State of Application Security 2022. report which found that the percentage of malicious API traffic grew significantly from 2020 to 2021. Gerlach predicted that this trend would continue.
“API security issues are at the heart of many recent breaches, including Bumble and Coinbase, and leading organizations are taking steps to ship more secure APIs and leverage production tools for an extra layer of security,” Gerlach added. .