To deliver seamless service experiences to our customers, businesses now rely heavily on application programming interfaces (APIs). These are a non-negotiable aspect of the way we streamline the interactions and conversations we have with our customers, both internal and external. APIs are now so ubiquitous, in fact, they’re used by nearly half of the web applications in the world.
As we move more of our business into the cloud and switch to DevOps, we’re also ramping up our usage of containerisation and microservices – all of which rely heavily on APIs. While these are necessary steps to remain relevant and competitive in digital marketplaces, the sheer number of interactions and touchpoints involved in API integration is leaving our applications and data more exposed than ever.
Unfortunately, APIs frequently self-document their implementation and internal structure, which can then be used against them by cybercriminals. Additionally, we see a number of other vulnerabilities such as:
- lack of encryption
- weak authentication
- business logic flaws
- insecure endpoints
All of these combine to make APIs an attractive prospect for would-be attackers, and IT security teams are all coping with different potential threats and challenges. According to our 2018 survey of 250 IT professionals on API security, their main concerns in this area are:
- 39.2% – Bots and DDoS attacks
- 24.4% – Authentication enforcement
- 14.8% – Inspection of API content to detect attacks
- 13.6% – Need to profile attacks
So what are the best practices we should be implementing to address these concerns and stay protected against increasingly-sophisticated threats? At a bare minimum, your security solution should be addressing:
Authentication – This is about accurately determining the identity of an end user, which is becoming more difficult when we consider the advanced methods attackers have at their disposal to mask their real identity.
Authorisation – Once we know who a user is, we need to know whether they are authorised to access certain resources. Unless they are a designated admin, for example, they should only be able to access read-only resources.
Validation – You need the ability to validate API calls against schemas and expected structures, while scanning payloads. This is vital to prevent common attacks such as code injections and parser attacks.
A web application firewall (WAF) is the most crucial part of your security toolkit, as it can achieve the above results by applying and enforcing a set of rules for conversations between applications. They are frequently used to secure API platforms, as they are very effective at preventing exploitation and mitigating application-layer DDoS attacks.
Some vendors such as Imperva also offer specialized API Security. Using your DevOps-team-created OpenAPI specification file, Imperva API Security automatically generates a positive security model that ensures only legitimate traffic can access your APIs. This includes our recent announcement of a seamless integration between our API Security solution and Red Hat 3scale’s API Management platform.
Ultimately, securing APIs requires IT security teams to apply the same application security best practices they always have, while also using advanced solutions like Imperva’s API Security to handle an ambiguous API environment and its dynamic accompanying threats.
To learn more about how Imperva protects against API abuse, please register and join our upcoming webinar on Sept. 18th at 10 am PT hosted by our experts Ziv Grinberg and Michael Wright. They will demonstrate the simplicity of uploading a Swagger file, showcase how the API Security solution automatically enforces a positive security model based on the OpenAPI Specification file, and in turn empowers your DevOps teams to publish and secure their APIs.