Dispelling the Myths and False Beliefs of API Security

By Yaron Azerual, Senior Security Solution Lead, Radware

The shift to hybrid working and digital transformation has accelerated the use of APIs. According to Radware’s 2022 State of API Security Survey, conducted with Enterprise Management Associates, 97% of organizations use APIs for communications between workloads and systems; 92% have significantly or somewhat increased API usage within the last year; and 59% already run most of their applications in the cloud – all of which underscores the critical role APIs play in enterprise computing.

The challenge is that API protection is not only failing to keep up with the increase in API usage, but many companies are working under a false set of assumptions and over confidence that they are adequately protected from cyberattacks ­– a risky combination. The reality is security teams need to rethink their approach to securing their APIs.

THE STATE OF API SECURITY

In our recent survey, 203 companies from across Europe, Asia, and North America paint a real-world picture of the state of API security in today’s organization. The results of the survey  reinforce the narrative that companies have a false sense of security in solutions that are inadequate and ineffective:

Undocumented APIs pose a substantial and underestimated threat.
While 92% of the organizations surveyed believe they have adequate API protection and 70% believe they have visibility into applications that process sensitive data, most (62%) admit that one-third or more of their APIs are undocumented.

Commentary: While the survey discovered that a fair portion of APIs are known and documented, there is a real (and underestimated) threat that comes from a large percentage of undocumented APIs. This is coupled with the fact that only some people believe that automatic API discovery and protection are necessities, and an even smaller portion is actually using a solution with auto-discovery capabilities. This is part of the false narrative that can lead to a major breach for many organizations: the belief that they have adequate security, but actually have significant gaps in their protection from APIs that are unknown and undocumented.

API attacks are largely undetected.
Half of companies surveyed viewed their existing tools as only somewhat or minimally effective at protecting their APIs, with 7% reporting that the solutions that did not identify any attacks at all.

Commentary: The inability of the existing tools to adequately protect APIs from common threats further adds to the false security narrative. The fact that respondents reported that the solutions they had in place did not identify any attacks (7.4%) is even more troubling.

Bot attacks remain a threat.
Nearly one-third of companies report that automated bot attacks are among the most common threats to APIs. In detecting an API attack, 29% say they rely on alerts from an API gateway and 21% rely on web application firewalls (WAFs).

Commentary: Organizations continue to base API security on the false assumption that API gateways and traditional WAFs offer sufficient protection, leaving their APIs vulnerable and exposed to common threats, like bot attacks. A comprehensive API protection solution addresses these threats, but few respondents indicate they have deployed such solutions. Bot protection and automated-attack protection should be a priority when evaluating solutions to protect APIs. 

BEWARE OF FALSE ASSUMPTIONS

There are many challenges involved in securing APIs – ­false assumptions are among them. Dispelling the myths and false beliefs while debunking the over confidence that most organizations have around API security is a great place to start in improving security posture.

Here are a few prevailing misassumptions further hampering API security and leaving APIs vulnerable and exposed to threats.

1. “A WAF will protect our applications and their APIs.”

While WAFs are a great solution for protecting against embedded attacks, they only cover a fraction of the attack vectors APIs are exposed to. APIs require specific capabilities, such as the ability to parse the content and compare it to the API’s specific schema – something standard WAFs usually don’t do.

Second, most WAF solutions (especially cloud WAF managed services) only deploy negative security models. This limits protection against zero-day attacks (unfamiliar attacks for which no signature yet exists). The OWASP API list of the top 10 threat vectors includes many types of attacks and malicious API calls that simply can’t be covered through a negative security model.  They require a positive security model and behavioral analysis to determine whether the API call is malicious or not – a feature most WAFs don’t offer.

Finally, there are automated threats, including malicious bots, that can pose a major problem for APIs. How can an API distinguish between a bad bot and a legitimate machine-to-machine call? Companies need advanced bot management solutions that can also analyze API calls to protect against account takeovers (ATO), data scraping, and other types of application DoS attacks. Currently, no WAF offers this functionality.

2. “An API gateway will manage and protect our APIs.”

API gateways are designed to manage the lifecycle of APIs, like translating protocols and routing API calls to correct destinations. On the security side, API gateways authenticate the entity that makes the API call and ensure the entity has proper authorization to execute a specific call.

With more companies expecting API gateways to offer increased levels of security, some API gateway vendors have started integrating basic API protection capabilities (beyond authentication and authorization enforcement). Unfortunately, there is no API gateway solution to date that safeguards APIs with a positive security model engine, bot protection capabilities, behavioral analysis, and application denial-of-service (DoS) protection. Most API gateways include connections to third-party API protection solutions — a clear indication that API vendors understand their products’ limitations in protecting the very APIs they manage.

3. “The APIs we are using are well-documented, enabling effective protection.”

A well-protected API is a well-documented API. To effectively protect an API, you need to intimately know the API structure, parameters, the type and range of values, and expected content of the API body. Combined with a good API protection solution, a well-documented API dramatically improves your security posture. However, in many organizations, there are numerous undocumented and unmanaged APIs that go unaddressed. And even if they are documented, APIs change more frequently than applications. As a result, their documentation and security policies need to be updated regularly.

Effective API protection must include automatic discovery of APIs. A good discovery engine can also automatically generate and apply a tailored security policy to match the discovered APIs. This is the best way to effectively protect an API throughout its lifecycle.

A Snapshot of Effective API Security

API security requires an in-depth understanding of a multitude of environments and platforms. An effective API security solution will:

• Integrate with existing security and visibility tools.
• Leverage advanced machine-learning algorithms to detect emerging threats and automatically create and optimize API security policies.
• Enable accurate and automated API discovery, protection, and security policy generation without requiring application or security expertise.
• Comprehensively protect all parts of the API across a broad range of threats, including access violations, data leakage, denial of service, automated threats (bots), and embedded attacks.
• Protect against automated, bot-based threats.
• Support positive and negative security models while enabling continuous and automatic security policy optimization and adjustments to correct and eliminate false positive events.

4. “We’re covered by a dedicated API protection solution.”

Good API protection that takes into account the above recommendations is a great start. But it isn’t enough to fully protect your application. APIs don’t exist by themselves. They are part of an application deployed on an infrastructure. Hackers who can’t penetrate the API will look for application vulnerabilities unrelated to the API. They might launch a bot attack, or they might simply launch a distributed denial-of-service (DDoS) attack.

The threat landscape for organizations has changed significantly over the past several years. It is simply not possible to identify and mitigate all security risks using traditional methods and tools. Instead, it’s important to take a holistic approach to application protection that covers all bases, including a strong WAF, bot management, threat intelligence, and DDoS protection. If you can manage these solutions from a single pane of glass and synchronize them, your applications and APIs will be effectively protected.

API security may not be making news headlines like ransomware and DDoS attacks yet. However, for most organizations, it has quickly become the most significant vulnerability surface — a threat that will remain as long as proper protection lags behind the growing risks.

# # #

Yaron Azerual, Senior Security Solution Lead at Radware, has more than 25 years of engineering, product management and product marketing experience, which is grounded in a deep understanding of the development of communication and security products and the market challenges they solve.