Happy Pi Day everyone! As a technician, Pi is a number that represents a constant. This constant reflects ongoing cyber threats that put business assets at ongoing risk as digital transformation and the resulting attack surface grow in parallel. Whether it’s a simple identity theft facilitated by a weak password or a complex state-sponsored cyber incident, security professionals are constantly working to master the defensive tools and techniques necessary to create a comprehensive security strategy.
The attack vector that we will cover here is executed via Application Programming Interfaces (API), software intermediaries that allow applications to communicate with each other. What about the APIs that make them so attractive as a vector for breaching web application security, and what can we as security professionals do about this threat? In this post, we’ll explain why cybercriminals are targeting APIs, why current application security practices are insufficient to manage the threat, and what technologies are currently available to overcome API security challenges.
Why Cybercriminals Target APIs
If history has taught us anything, it’s that there are no free rides when it comes to innovation. Fantastic web apps opened up a goldmine of eCommerce revenue possibilities only for bad bot attacks to work and severely degrade the process. Collaboration technologies turn distributed teams into ultra-productive digital workforces only for phishing attacks to expose billions of sensitive personal data to exfiltration and theft. Today, cloud-native application development offers organizations unprecedented flexibility, speed, and lower costs. The cornerstones of this rapid cloud-native development process are APIs, and for good reason. APIs simplify low-level software layers and allow developers to focus on the core functionality of their applications. Across the company, APIs lower the barrier to entry for inexperienced developers and increase efficiency for more experienced people. Consequently, the use of APIs has increased considerably. Imperva Research Labs’ cloud WAF traffic analysis showed that the proportion of web traffic flowing from APIs has grown 30% in 2022, compared to the same period last year. As the volume of API traffic increases, it becomes a greater threat to an organization’s sensitive data. Motivated attackers will increasingly target APIs as the path to the underlying infrastructure and database.
Why Web Application Firewalls and DDoS Protection Aren’t Enough to Protect APIs
Web Application Firewalls (WAF) and DDoS protection have been for some time de facto tools to safeguard web applications. As digital transformation initiatives have intensified, developers have integrated things like microservices and open source tools into the application development process, dramatically increasing reliance on APIs. Unfortunately, organizations have a limited view of the security of the APIs that come with these new elements. DDoS protection is essential to stop DDoS attacks where attackers try to overwhelm an API with many requests in a short time. However, if you don’t know the full schema or what changes have been made to the schema of an API facing a flood of requests, you don’t know how you’ll respond to an attack. This compromises the effectiveness of any DDoS protection.
Achieve real API visibility and security
Imperva offers an easy-to-use tool that addresses the complex risks associated with APIs. Organizations can use Imperva API Security to create the visibility of the APIs that is required to protect them. This tool provides rich contextual data and labels and automatically determines risks around sensitive data without requiring development teams to publish APIs through OpenAPI or adding a resource-intensive workflow to their CI/CD processes. Security teams can incorporate a positive security model to protect their organization from API-based threats. Every time an API is updated, Imperva API Security informs security teams and helps them understand any new risks and incorporate changes. This leads to faster and more secure software release cycles.
Imperva API Security automatically discovers the full schema of each API while identifying and classifying the data that flows through it and improving an organization’s security posture. It also enables continuous API discovery and schema changes, automatically updating APIs as they change in production. The flexible deployment model provides protection for back-end and public APIs in a single solution without slowing down development teams and works across legacy, hybrid, and cloud-native environments, including Kubernetes, legacy monolithic applications, standalone microservices, and cloud-native applications. plus. The tool also drills down and discovers the underlying payload of each API to help security leaders apply a governance model and mitigate potential data breaches.
Imperva API Security enables security teams to keep up with the pace of innovation without affecting the speed of development. The tool mitigates the risk of data breaches and data leaks by uncovering hidden APIs and suggests solutions for software developers and security administrators.
Learn more directly from the experts
by imperva new webinar explains how this API security tool provides the right balance of visibility and protection that security and DevSecOps teams require.
join us March 30th and learn about:
- Trends driving rapid API adoption and the emerging risk surface resulting from outdated API inventory
- Where Application Security Fits in API Protection and Risk Mitigation
- Which tools are the best to cover each part of the OWASP API Top 10
- A strategy to discover and classify each API in and out of production
Hear from two industry experts on API security and how APIs have become the lingua franca of the internet today, and why you need to act fast to prevent data breaches. reserve your place today.
*** This is a syndicated Security Bloggers Network blog from Blog written by John Oh. Read the original post at: https://www.imperva.com/blog/how-web-applications-are-attacked-through-apis/