Security Boulevard (Original)

Google Launches Advanced API Security to Combat API Threats

Google launched a preview version of a service, called Advanced API Security, aimed at helping organizations combat growing threats targeting application programming interfaces (APIs). 

The goal of the service, built on the API management platform Apigee that Google acquired in 2016, is to make it easier to identify API proxies that do not conform to security standards.

The twin central features of Advanced API Security include the identification of API misconfigurations and the detection of bots.

Identifying Misconfigurations and Bots

To identify API misconfigurations, the platform regularly scans APIs and offers remediation actions organizations can take if misconfiguration issues are found. 

This can help reduce security risks to sensitive information; for example, the patient info found in a health care provider’s APIs related to medical coverage information.

“Because of the often-sensitive personal health care data being transmitted, it is important that the required authentication and authorization policies are implemented so that only authorized users, such as an insurance company, can access the API,” Vikas Ananda, head of product at Google Cloud, wrote in a blog post about the announcement.

API security teams also can use Advanced API Security’s pre-configured rules to identify malicious bots within API traffic.

“Each rule represents a different type of unusual traffic from a single IP address,” Ananda wrote. “If an API traffic pattern meets any of the rules, Advanced API Security reports it as a bot.”

This service is targeted at financial services institutions, which rely heavily on Google Cloud—four out of the top five U.S. banks ranked by the Federal Reserve are already using Apigee, Google noted in the blog post. 

The service is also designed to speed up the process of identifying data breaches by identifying bots that successfully resulted in the HTTP 200 OK success status response code.

“Organizations in every region and industry are developing APIs to enable easier and more standardized delivery of services and data for digital experiences,” Ananda wrote. “This increasing shift to digital experiences has grown API usage and traffic volumes. However, as malicious API attacks also have grown, API security has become an important battleground over business risk.” 

Michelle McLean, vice president of product marketing at Salt Security, an API security provider, noted that any time a major industry player shines a spotlight on a necessary, critical capability, the entire industry benefits.

“Too many companies remain complacent about the risk that APIs create for their organizations, so having a leading API management platform like Apigee call out the need for improved API security makes the whole industry smarter,” she said. 

McLean said Google is perennially trying to catch up to AWS and Azure in the “cloud wars,” and has long focused on security as an area in which to differentiate.

“Apigee remains a very popular API management platform from well before the Google acquisition, so it makes sense for Google to look to security as a way to increase the value of its API platform,” she said. 

She added that stopping bots and identifying misconfigurations in APIs are a good starting point, as both these capabilities can leverage pre-set rules and known patterns to improve API security. 

“However, these don’t represent the greatest source of risk,” she said. “If you think of the major API security incidents of the past few years—Experian, Peloton, USPS, LinkedIn and even Log4j—none of these would have been prevented by stopping bot attacks or misconfigurations.”

Business Logic Flaws Are the Real Threat

McLean explained most API attacks root themselves in identifying business logic flaws, and these kinds of attacks aren’t stopped by pre-set rules or known patterns. She pointed out that APIs are an increasingly attractive target because they’re designed to share valuable data and they’re poorly protected today.

To attack APIs, bad actors look for gaps in business logic that they can exploit. Detecting this subtle probing as a bad actor learns a given company’s APIs is crucial to identifying and preventing attacks. 

“To prevent this threat, companies must focus on runtime security measures that are dynamic, adaptive and behavioral and can detect anomalies over days, weeks and months,” she said. “Existing tooling, like web application firewalls (WAFs) and gateways, can’t help here because they use pre-set rules and patterns to detect known threats.”

McLean pointed out that such known threats are not the biggest risk for API-driven companies—business logic attacks are. These require advanced algorithms that can identify the reconnaissance activities associated with finding those business logic flaws, McLean said.

Scott Gerlach, co-founder and CSO at StackHawk, a provider of API security testing, said this launch provides GCP users with the ability to have a defense-in-depth strategy.

“Teams can use modern API security testing tools to make sure that the APIs they are releasing don’t have high-risk, exploitable vulnerabilities and leverage Google Advanced API Security as a production backstop,” he said. “This is another great step in ensuring legitimate users with legitimate use cases are the ones requesting data.” 

He noted that steps like this are critical as the API security threat grows, pointing to Forrester’s recent 2022 State of Application Security report which found the percentage of malicious API traffic grew significantly from 2020 to 2021. Gerlach predicted this trend would continue.

“API security issues are at the heart of many recent breaches, including Bumble and Coinbase, and leading organizations are taking steps to ship more secure APIs and leveraging production tools for an additional layer of security,” Gerlach added. 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

Recent Posts

Symmetry Systems Ramps Up Hybrid-Cloud Data Security with $15 Million Series A Funding

ForgePoint Capital and Prefix Capital Double-Down on Data Store and Object Security as Lead Investors Symmetry Systems, provider of cutting-edge…

6 hours ago

What is Threat Management?

Threat management is a process that is used by cybersecurity analysts, incident responders and threat hunters to prevent cyberattacks, detect…

10 hours ago

Building Strong Defences: The Intricacies of Effective Bot Mitigation – Part 1

Learn how you can assess a bot mitigation provider's ability to detect and stop bots in our new technical blog…

11 hours ago

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a...

11 hours ago

Tax scams: Scams to be aware of this tax season

The post Tax scams: Scams to be aware of this tax season appeared first on Click Armor.

11 hours ago

Apple OTP FAIL: ‘MFA Bomb’ Warning — Locks Accounts, Wipes iPhones

Rethink different: First, fatigue frightened users with multiple modal nighttime notifications. Next, call and pretend to be Apple support.

13 hours ago