APIs have dramatically altered the application attack surface, so lots of organizations and security teams are now focused on API security. As part of our continuing mission here at Salt to educate the broader industry, our technical evangelist, Michael Isbitski, put pen to paper (well, OK, fingers to keyboard) to provide a comprehensive overview of the challenges and best practices in API security.
In this “API Security for Dummies” eBook, Michael takes care to bring everyone – from novices to very technical app sec professionals – along on the journey of understanding APIs themselves, how attacks are different from application attacks, why APIs make such attractive targets, and how organizations can better protect themselves from the sophisticated bad actors focused on hacking or abusing APIs. To craft this educational tome, Michael draws on his five years of helping 1000s of Gartner clients implement application security as well as his decades of hands-on experience running application security teams.
With Gartner having recently updated its security reference architecture to create a separate pillar for API security – distinct from WAFs, Web Application and API Protection, and API gateways – the industry is increasing its understanding that APIs spawn unique attacks and need unique protections. Companies are using more APIs than ever, those APIs are more functional than ever, and teams are updating them more frequently than ever – so the attack surface is much bigger and always changing. The old tools simply cannot protect you, because they can’t detect the probing and reconnaissance activities of bad actors who have to learn your APIs so they can understand how to attack them.
It’s important to understand this limitation isn’t temporary. WAFs and APIs gateways are architecturally constrained – they can see transactions only one at a time and apply pre-set rules and signatures to determine whether to allow or block a given transaction. They’ll never be able to gather and correlate the activity across all APIs and users, over time, to detect an API attack.
Michael’s guide provides the critical insights you need to educate yourself and your organization as to how and why the world has changed, and why additional protections are needed. Everyone – dummy and smarty alike – will benefit from the explanations he provides on:
- what APIs are – including common types, protocols, and their role in modern app design
- laying the foundation for securing APIs – including documentation, schema definitions and validation, API testing and mediation, the use of proxies, and API management
- understanding API attacks – including tapping front-end applications; the connection to digital supply chains; the OWASP API Top 10; and a profile of the most common attacks such as credential stuffing, brute force, account take over, and scraping
- API security best practices – including the critical role that architecture plays; what to look for in an API security platform; and the need for automatic discovery, data classification, runtime protection, pre-prod scanning and testing, and remediation to protect APIs across their full lifecycle
Michael’s “API Security for Dummies” book wraps with 10 steps you can follow to improve your API security – the kind of practical advice you can put to use today.
The whole point of using APIs is to share valuable data and interconnect services – it’s what they’re built to do. So it’s no surprise that APIs are now the top application attack vector. If your organization is applying yesterday’s protections and hoping they’ll protect against today’s attacks, they’re just waiting to be the next headline. Use this Dummies guide to bring intelligence to your API security strategy.
*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Michelle McLean. Read the original post at: https://salt.security/blog/api-security-for-dummies-and-smart-people-too