making api security smarter
The adoption of APIs in the enterprise is showing no signs of slowing down. And each API represents a new attack vector to corporate data, applications and critical business systems. Foundational security features designed to protect APIs from common attacks are commonly offered by API gateways and IAM solutions providers. But hackers are getting smarter, using social engineering and brute force methods to bypass these defenses to gain access to critical systems and data.
A robust API security practice requires a strong set of security capabilities, as well as the ability to detect anomalies once a user passes the first lines of defense. This way, you can act immediately when malicious behavior is detected. PingIntelligence for APIs is making API security smarter.
filling common gaps in api security
API management tools provide an important set of security features to protect your APIs. These often include authentication and rate limiting, which ensure resources are securely accessible by internal groups, partners, customers and third-party developers. But these practices are often deficient in stopping attacks that are built specifically to breach APIs and the data and systems to which they provide access. Because APIs have created a new, attractive path for hackers to gain access to sensitive data, multiple methods have been invented to circumvent traditional security practices to gain access. Intelligence helps stop the most common API attacks not covered by foundational API security tools.
gap #1: login attacks
Login services are a common API attack surface. API management systems reject invalid login attempts, but they don’t have adequate mechanisms to stop clients from continuously trying new combinations. Many hackers keep request rates below rate limits and periodically change IP addresses to make control very difficult, and successful attempts often go undetected.
Hackers can also steal API keys or tokens used for client authentication through man-in-the-middle attacks, tricking users into connecting to a compromised system which then captures the user’s token or key. The hacker then presents the stolen credential to gain access to API services. Since proper credentials are presented by the client, an API management system can’t detect this attack.
gap #2: api DDoS attacks
DDoS attacks were originally designed to overrun an organization’s defenses with volume. But API DDoS attacks are often executed by multiple clients sending traffic to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect without analyzing the aggregate traffic rate on each unique API service. Sophisticated hackers can even detect rate-limiting controls and adapt traffic rates to stay beneath the throttling limits to avoid detection. API management systems use rate limiting to control individual client activity, but they typically can’t view aggregate traffic rates among multiple clients to stop distributed DDoS attacks.
gap #3: application and data attacks
Application and data vulnerabilities depend on the exposed API functionality. For example, an API with exclusively read-only functionality exposed wouldn’t likely be susceptible to an injection attack. However, APIs commonly expose a range of functionality, so attacks can include:
Data extraction or theft: Instead of looking up a single account, a hacker could program an attack to gather information from many accounts.
Data deletion or manipulation: A disgruntled employee could delete information to sabotage systems, or a hacker could change data to compromise information.
Data injected into an application service: A hacker could load large data files to overrun system memory or inject excessive data to overload an API service.
Malicious code injection: A hacker may inject malicious code, such as a key logger, which could compromise other users accessing the service.
Extreme application activity: A hacker can generate calls that require unusually high system resources and affect server response time.
gap #4: deep api traffic insight
Managing API access requires comprehensive information on all API activity for compliance reporting, forensic investigations, usage trend analysis and debugging of complex applications. All API interactions should be available, including every method or command used on any API at any time. This reporting is required to support in-depth investigations into historical activity linked with an attack, or to demonstrate compliance and deliver metrics on API usage. Reporting APIs should also be available to deliver information to common enterprise dashboards and reporting applications.
LEARN MORE ABOUT THE EVOLVING API SECURITY LANDSCAPE