APIs are ubiquitous with modern applications and the uptake in their usage is growing significantly. API traffic, according to The Salt Security Q3 2022 State of API Security report, has shown an increase of 168% over the period of July 2021 to July 2022. Source:Â https://salt.security/api-security-trends?&Â . Unfortunately, this rapid proliferation of APIs has led to an increase in risks.
With these statistics in mind, is it enough to employ a traditional security approach to keep APIs secure?
Sadly, legacy API security solutions are no longer an effective way to keep APIs secure due to the rapid nature of API development. This constant change is too rapid for WAFs and API Gateways to keep up to pace with especially when it comes to administering and maintaining them. They also are unable to provide the visibility and context needed to discover the dynamic evolution of APIs.
Behind every API is a completely unique application of business logic and this means that bad actors are forced to apply a very different approach to investigate and poke at APIs in order to find gaps they may be able to manipulate. Because of the required reconnaissance, the nature of their attacks is low and slow and the legacy API security solutions don’t have the capability of identifying this new kind of attack, seeing these attack requests as entirely legitimate. This is simply because they were never designed for to perform contextual analysis.
The industry has seen an uptake in the Shift-left movement and while it is a necessary and somewhat effective strategy, it simply isn’t enough when it comes to securing APIs. This is because Shift-left identifies gaps in security but focuses only early on in the development stage. It’s not until later on, when in production, that the risks become real. Ideally, you would like to be in a position where real-world users of your APIs (and likely some bad actors), are safely performing penetration testing and you’re receiving real-time feedback. This is where runtime monitoring and protection capabilities for APIs comes into its own.
How do you close security gaps in your API landscape?
Salt Security is a one-of-a-kind API security platform that dynamically discovers your APIs, stops API attacks, and eliminates vulnerabilities in development by scanning and testing APIs in the build phase. In addition, the platform provides remediation insights that have been learned during runtime which ensures your security and development teams’ focus is correct and further provides value through a deeper understanding of how the APIs are utilised and how their vulnerabilities may be secured.
Salt Security provides businesses with a complete view of their API attack surface, meaning it continuously discovers internal, external as well as third-party APIs which helps you assess your risks. With 33% fewer undocumented APIs, 20x faster time to resolution, and 3x faster API remediation, the value provided by the platform is undeniable. Most importantly, it dynamically identifies changes in APIs and discovers new ones continuously maintaining an up-to-date view of your entire API landscape.
For more information on Salt Security, please contact us.
