Automated API Protection with WAP

For those who use Web Application Protector from Akamai: “Your APIs just got an extra layer of protection”.

For everyone else, learn how easy a WAF can be.

You protect your web applications, that’s awesome, but what about all your APIs? Do you know how many you have, who accesses them and what information they expose?

Application Programming Interfaces (API) are a great tool for developers to build new applications faster. They’re great for business innovation because they implement new business models faster. Enabling an unlimited number of software programs to talk to each other quickly and to exchange data at a mind blowing speed and volume. They are also a great way for the exponentially growing number of mobile applications to get information in front of consumers.

But let’s also take a look at the other side of the coin. APIs are a growing target for hackers, who use those overlooked and wide open doors to your business’s “crown jewels”. That’s because APIs provide direct access and transparency into your business infrastructure, which can create huge security risks if proper protection is not in place. And attacks use the provided benefit of machine to machine communication for speed and scale of their attacks.

It’s a common misconception that only your authorized apps, partners and developers will use your APIs. A growing number of attacks may have discovered your APIs to exploit weaknesses in your backend infrastructure. Think of having two doors into your infrastructure. Attackers have opened the first door by targeting servers and databases with website attacks. Now, they’re pivoting to the second door — APIs — to launch the same type of attacks, just faster and at larger scale.

We are analyzing traffic data on the Akamai Intelligent Edge platform and see a significant shift towards API traffic. Last year more than 80% of traffic was XML and JSON API traffic. We discuss the overall data in more detail in our most recent SOTI report.

automated api.png

Akamai WAFs provide our research teams with large amounts of threat data revealing how customers build their APIs and the types of traffic they’re seeing. This unmatched knowledge allows our engineers to design protections with high accuracy right off the bat. Our customers have been successfully protecting their APIs using Kona Site Defender, our flagship WAF. Kona Site Defender provides a positive security model for highly customized API protection as well as fully automated protection to quickly scale protection across many web properties. Automation removes operational complexity for our customers that do not have the time or expertise to manage and fine tune their WAF on a daily basis.

Now we’re introducing automated API protection to Web Application Protector as well.

Web Application Protector is best known for providing highly automated protection of web applications across all industries. Until now the API protection capabilities were mainly based on rate control, geo blocking, and IP blacklists. Now, we’ve moved automated protection a huge step further by adding intelligence to our rules, automated attack groups, to automatically detect and inspect the API request body in JSON and XML format. As you would expect, this is switched on by default and there is nothing to do for you to get the additional protection immediately.

Web Application Protector now provides several layers of API protection:

·      Network layer protection through geo blocking and IP blacklists

·      DDoS protection through rate controls and automated attack groups

·      JSON and XML exploit protection through new and highly accurate WAF rule inspections

These rules are automatically updated (like with Kona Site Defender). There are no extra operational requirements. Akamai does the work for you.

Interested in trying it out? Sign up here for a free trial.

automated api 2.png

For security teams who are looking for additional layers of protection, check out these solutions:

  • API Gateway, which takes care of the business management and governance of your API traffic.
  • Kona Site Defender, which provides the same automated rule set plus a positive security model.
  • Kona Site Defender can be further enhanced with Client Reputation to provide reputation score on suspicious IP client behavior.
  • Bot Manager Premier, which enables security teams to manage exponentially growing good and bad bot traffic.

More information can be found in our whitepaper “Top API Security Strategies“.

With Akamai Edge Security, you stay in full control of your security implementation. Also, our automated rules make your day-to-day jobs easier than ever. Gone are those long hours.

Stay safe and enjoy your time off!

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Volker Tegtmeyer. Read the original post at: