When it comes to securing your APIs there’s a common misconception that by utilising Web Application Firewalls (WAFs) and API gateways, you’re adequately secured.
Today, upwards of 80% of internet traffic is API-related (reference https://www.akamai.com/site/en/documents/state-of-the-internet/soti-security-api-the-attack-surface-that-connects-us-all.pdf) and almost all of the application to application integrations, end-user mobile, and web interactions are API-driven. Developers use APIs to integrate applications and share data, including personally identifiable information to create engaging user interactions. APIs deliver power, flexibility, and efficiency, driving all of the apps and the associated experiences we all enjoy on our mobiles and the web today. Due to the all-inclusive nature of APIs, the risk and security challenges like unknown attack surfaces, new exploit opportunities, and breaches and disruptions from automated attacks are increasing by the second.
With APIs exposing so much valuable information it’s without a doubt that API Security should be right at the top of organisation’s cyber security agendas, and many businesses will revert to their WAFs and API Gateways, without realising that they do not provide the type of security needed to secure APIs. But why are they not enough to secure APIs?
- WAFs – these are signature-based and designed to look for known attack types and identify common vulnerabilities but will struggle to find and block attacks that according to a detected signature, appear to be legitimate. We should highlight that the biggest data breaches today all have appeared to be legitimate (reference https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/ and https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/). WAFs also lack the ability to address visibility, inventory tracking, risk assessment, and other threat prevention requirements that are important to protect APIs.
- API Gateways – these provide a number of core security functions however these functions are basic and leave many avenues open for potential attacks. They are reactive and static in that you have to register every managed API, and don’t provide much visibility into your APIs. These gateways are focused on protecting the front door of APIs rather than what goes on behind them.
Both WAFs and API Gateways provide a required level of protection but don’t cover the complete spectrum of API security that is required to stop attackers in their tracks today. Rich context is required in order to accurately identify attacks, which both WAFs and API Gateways have simply not been designed to provide.
Threat actors are becoming increasingly more aware of the prevalence of APIs and the opportunity to exploit flaws within them to breach valuable data and proceed onwards with further malicious intent.
With the rise in the risk of API attacks, and WAFs and API Gateways no longer being effective enough, we can see why the need for effective API security is so important to an organisation’s cybersecurity strategy.
Salt Security’s API protection platform covers your entire landscape of API traffic and makes use of a patented contextual engine built with artificial intelligence (AI), machine learning (ML), and big data to discover all APIs and detect and expose attacks. The platform scans and tests during the build phase to learn important insights during runtime in order to stop attacks and eliminate API vulnerabilities. Salt’s platform provides rich context through continuous API traffic analysis which provides more insightful data to be able to protect a business from API attacks.
Salt Security is not a replacement for your existing API security investments but will complement them to increase the effectiveness of your API security and detect today’s threats.
To find out more about why WAFs and API Gateways are no longer enough to secure your APIs, feel free to get in touch with us and we’ll happily share our knowledge on the subject.
