Integrating Advanced API Security with Imperva Gateway Environment

As APIs power the majority of modern web applications, implementing robust API security is no longer optional – it’s a critical necessity for data protection. This guide explores how to seamlessly integrate API gateway security into your Imperva on-premises environment to mitigate OWASP Top 10 threats, ensuring both web application and business logic threats are effectively managed.

The Need for API Security Integration

APIs not only enable communication between systems but also expose vulnerabilities that can be exploited by attackers. A strong API security solution safeguards your applications against threats ranging from SQL injections and cross-site scripting to more nuanced business logic attacks. With Imperva’s security capabilities integrated into your gateway, you benefit from:

• Comprehensive API Protection: Defend against the OWASP API Top 10 risks, including BOLA and Broken Authentication, by stopping malicious traffic at the gateway.
• Operational Simplicity: Leverages the powerful capabilities of the Imperva gateway without adding unnecessary complexity.
• Flexibility and Scalability: Supports on-premises, cloud-native, and Kubernetes environments, adapting to your organization’s evolving needs.

Key Technical Aspects of the Integration

Dynamic Profiling and Application Insight

Imperva’s patented Dynamic Profiling technology is at the core of this integration. It automatically learns the structure and usage of your web applications by monitoring every URL, parameter, cookie, and HTTP method. This continuous learning process helps to:

• Automatically Adjust Security Profiles: Minimal manual tuning is required as the system adapts to your application’s normal behavior.
• Detect Anomalies: By comparing real-time data against expected usage models, the solution quickly identifies suspicious activities that could indicate an attack.

Protocol Validation and Attack Signatures

The integration offers a dual-layer defense strategy:

• Protocol Validation: Every API request is checked to ensure compliance with HTTP protocol standards, filtering out malformed or malicious requests.
• Attack Signatures: With a comprehensive database of over 6,500 attack signatures that are regularly updated by expert teams, the WAF GW swiftly identifies and blocks known threats.

Diagram: Imperva Security Layer Architecture – This diagram illustrates the layered approach of Imperva’s security, showing how protocol validation, signature matching, and dynamic profiling work together to secure API traffic.

Application Profiling and the Correlation Engine

Understanding your application’s normal behavior is key to spotting potential threats. By profiling real-time usage and employing a sophisticated correlation engine, the solution:

• Detects Business Logic Attacks: Identifies vulnerabilities such as Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).
• Enhances Threat Verification: Integrates data analysis with vertical integration to validate and remediate suspicious activities effectively.

Seamless Integration with Leading API Management Tools

Imperva’s API-Anywhere solution provides a gateway-agnostic approach, integrating leading tools like Kong API Gateway via a dedicated plugin. This gateway-agnostic approach ensures:

• Selective Traffic Handling: Only validated, non-malicious traffic is forwarded to the API controller, maintaining optimal performance.
• Automated API Discovery: The system continuously identifies, classifies, and monitors API endpoints, including deprecated and unauthenticated ones, reducing manual effort and accelerating the development cycle.

Deployment and Installation: A Step-by-Step Guide

Flexibility in deployment is a key benefit of the Imperva API security solution. Whether your infrastructure is based on cloud-native technologies like Kubernetes or traditional hypervisors like VMware, integration is straightforward.

1. Generate the Installation Package:
   Use the provided HELM chart to generate configuration files and prepare the console.
   • Impv-a-console-x.x.x.tgz (This Package includes the Helm Chart of the Console)
   • Values.yaml (This file contains the configuration)
2. Deploy the Console:
   Install the console in your environment. This can be managed either via the Imperva Cloud Console or a local self-managed option.helm install impv-apisec-console -f values.yaml -n impv-anywhere –create-namespace




3. Enable the API-Security Policy on Your Gateways:
   With the console active, enable the API security policy on your gateways. The gateway begins populating data to the Imperva Unified Management Console (UMC) either in the cloud or on premises, based on your configuration.
   
   

4. Ongoing API Discovery and Verification:
   Continuous API discovery and Swagger file verification ensure that all endpoints are monitored, classified, and secured, significantly reducing the risk of overlooked vulnerabilities.

Benefits and Added Value

Integrating API security with the Imperva gateway delivers tangible benefits:

• Streamlined Security Operations: Automated profiling and centralized management reduce the operational burden on your security teams.
• Enhanced Developer Productivity: Automated API discovery and inventory management expedite the development cycle.
• Robust Protection Across Environments: Whether your APIs are public-facing or internal, legacy or cloud-native, the solution offers comprehensive security without compromising performance.
• Actionable Insights and Compliance: Gain granular visibility into traffic to support GDPR, PCI DSS, and HIPAA data governance and protect sensitive PII.

Conclusion

A robust API security strategy must be flexible, comprehensive, and easy to deploy. Imperva’s API-Anywhere solution integrated with your gateway environment meets these requirements by offering:

• A Gateway Agnostic Security Solution: Seamlessly integrates with multiple API management tools.
• Automated API Inventory and Protection: Continuously monitors and updates API endpoints, uncovering any shadow or deprecated APIs.
• Dual-Level Threat Mitigation: Protects against both application-level and business logic attacks through dynamic profiling, protocol validation, and advanced correlation engines.

By integrating this solution, organizations can protect critical assets, streamline operations, and maintain high levels of security and compliance, all while enabling a faster, more agile development process.