API Gateway Security: What is it and is it Enough?
APIs drive today’s economy, helping organizations bring data together in new ways to provide the services that consumers expect. Therefore, it’s no surprise that a recent study found that businesses that utilize APIs were more profitable over the past decade, experiencing 12.7% higher growth in market capitalization growth than those that did not use APIs.
As a result, API usage has exploded. The Salt Security Q3 2022 State of API Security report showed that the average number of APIs per Salt customer grew 82% over last year to more than 162 in July 2022. During the same period, overall API traffic per customer grew 168%. With this growth, it has become imperative that companies look for ways to efficiently manage their sprawling API landscape.
Enter the API gateway…
What is an API gateway?
I like to imagine an API gateway as a turn-of-the-century telephone operator, plugging in a cord to accept an incoming call, asking who they wish to speak to, and then plugging that cord into the proper slot to route it to the desired location. API Gateways do much the same thing – accepting API calls and efficiently routing them to the appropriate application.
An API gateway sits in front of an application programming interface (API) to provide a single entry point and common interface for APIs to communicate with each other. This enables them to exchange data within an organization and outside of it. API gateways also provide critical management and oversight functions, allowing teams to control APIs and their various integrations from one place, rather than managing each of them individually. Their catalogs also allow business and IT teams to find existing APIs, avoid duplication, and reuse them whenever possible. And we can’t discount the basic security functions that API gateways typically provide, including user authentication, rate limiting, and monitoring.
API gateways are designed to reduce the complexity of an ever-changing, sprawling, and complex API landscape. Gateways help organizations increase the reliability of their applications by giving them a common framework to communicate, and can even help extend the life of legacy applications.
As you can imagine, as an API security company, we talk to organizations at all stages of their API security journeys. Most of them have implemented (or are in the process of implementing) an API gateway and understandably have questions about how these API tools differ. Here are a few of the most common questions we get so you can better understand how the various API tools can layer together to detect and prevent the most frequent API attacks.
What security features does my API gateway provide?
API gateways offer some important basic security features in addition to their core API management capabilities. Most API gateways offer:
- Rate-limiting policies to enforce usage limits and prevent volumetric attacks
- Data protection policies to protect data in transit with tokenization
- Governance policies, policy management, and access control enforcement
- Signatures and policies to block known attack types
However, while API gateways play an important part in the overall API security strategy, they cannot protect against the top API threats, including those defined in the OWASP API Security Top 10. Even authenticated APIs can be targeted by attackers using subtle methods to uncover and exploit vulnerabilities. Traditional access controls, block lists, and message filtering provided by API gateways provide only partial protection.
How do we know this? API attacks continue to happen, and they happen to APIs that are published through gateways. According to Salt’s Q3 2022 State of API Security survey, 54% of respondents are relying on their API Gateway for security, yet 82% don’t believe their existing tools are very effective in preventing API attacks.
API gateways rely on signatures and known patterns, so you need to know what you’re looking for. Signature-based tools like API gateways look for well-known attack patterns for detection, but the most common API attacks take advantage of business logic flaws which will differ dramatically from API to API and aren’t detectable without massive amounts of data correlated over weeks and months.
Protecting APIs from threats requires analysis of all API traffic to gain the context needed to identify and stop attackers. The proxy architecture of API gateways limits their ability to see the big picture – instead, they provide protection one transaction at a time. Without broader context and the ability to stitch together disparate activities, API gateways leave organizations exposed to the most common API attacks.
We have an API gateway, so why would we need an API security solution?
API gateways simply weren’t designed to stop today’s API attacks. Attackers use reconnaissance techniques to reverse engineer APIs and understand their structure and unique business logic. These attacks take time and rely on low and slow activity to look for vulnerabilities and exploit them. Since attacker reconnaissance activity looks like normal API traffic, API gateways will inevitably miss the attacks that target unique API vulnerabilities. Gateways (and WAFs) simply aren’t built to thwart these types of attacks and leave significant gaps.
API security solutions must automatically and continuously analyze API traffic to learn normal behaviors for each unique API and gain the context needed to identify anomalies, pinpoint attackers, and protect APIs. Dedicated API security requires three core capabilities:
Discovering New and Modified APIs: an API security solution must have the capability to discover all APIs, including shadow APIs and zombie APIs. To keep up with the ongoing release of new and updated APIs, discovery must happen automatically and continuously and must cover all partner-facing, internal, and customer-facing APIs. Ideally, a dedicated API solution should also be able to identify sensitive data exposure to help your organization understand risk and remain compliant.
Detecting and Stopping API Attacks in Runtime: in order to detect and stop modern API attacks, an API security solution needs to analyze and correlate API activity to create a baseline of normal behavior and identify activity that falls outside of that baseline. This will allow you to tell the difference between normal changes in API traffic caused by API changes or user behavior, and malicious traffic stemming from attacker activity, enabling you to detect and stop attacks early during the reconnaissance stage.
Traditional tools, like API gateways, can only inspect each transaction in isolation and identify known malicious traffic and are unable to use context and correlation to identify and stop malicious activity. Stopping today’s sophisticated API attacks requires a breadth of context that can only be gained by using cloud-scale big data and leveraging AI and ML technology to correlate millions of API calls over time.
Shift Left Practices to Eliminate Vulnerabilities in Development: any software will be deployed into production with gaps, even if DevOps teams follow development best practices and make use of scanning tools. APIs are no exception. You can only prevent the exploitation of any API vulnerability that makes it into production using runtime protection.
An API security solution should be able to detect potential issues and flaws in runtime. To improve your overall API security practices, these findings should be fed back to developers early in the development cycle, to help them eliminate vulnerabilities before APIs are deployed into production. Providing DevOps teams with insights on vulnerabilities found both in development and in runtime can help teams prioritize remediation efforts and eliminate weaknesses and continuously enhance your organization’s security posture.
How do API gateways protect against the OWASP API Security Top 10?
In late 2019, the Open Web Application Security Project (OWASP) released its first-ever API Security Top 10. This list identifies the most common API security attack types and helps illustrate where traditional API tools like API gateways fit, and where dedicated API security solutions (like Salt) are required. As you can see, gateways do a nice job of detecting simple injection attacks, but their signature-based models cannot recognize more complex attacks.
Where API gateways fall short are in the more complicated – and most frequent – attacks like broken object level authorization (BOLAs). In a BOLA attack scenario, an attacker might authenticate with a specific user ID and then continue sending that same user ID in the cookie while sending a different user ID in the query parameter. By doing this, they’re attempting to bypass authorization mechanisms and gain access to other users’ data. As long as the request is structured correctly, an API gateway will pass this request to the API server which will process it as usual and return the response to the end user.
Alternatively, a sophisticated API security solution – like Salt – will protect against this same BOLA attack. By leveraging the power of big data, over time, advanced API security solutions can fully understand the context and normal behavior of each API. When this same scenario occurs, solutions like Salt can compare the values of different fields and parameters across different pieces of the request and response. When two parameters should have the same values but a request comes through with two parameters with different values on them, advanced API security solutions will uncover this discrepancy, raise an alert about it, and enable you to block the attack in progress by leveraging the inline capabilities of your WAF or API gateway.
With the right signatures (and people who have the know-how and time to write them), they can manually detect some additional attack types. That’s where the AI/ML-driven, purpose-built API security tools shine – stitching together complicated series of attacks over time to uncover the business logic-based API attacks.
If we were to implement a dedicated API security solution like Salt, would we still need an API gateway?
Gateways are critical components of a comprehensive API management and security program. There is no substitute for the centralized management and oversight capabilities that API gateways offer. However, they do need to be layered with other API tools to provide full, end-to-end API management and security functions. Additionally, API security solutions like Salt can utilize a gateway to mirror your API traffic and use it to discover, protect, and prevent more sophisticated attacks.
What API gateways do you support?
Salt is committed to supporting our customers’ environments and the systems and solutions that they already have in place. Therefore, Salt provides a robust set of integrations with all of the leading API gateway providers. If you’re already using one, we can likely connect, mirror traffic from it, and block malicious activity. We encourage you to select the API gateway that is best for your organization, and we will help you determine the most efficient way to integrate with it!
For more information
If you’re interested in learning more about how you can layer a best-of-breed API security solution like the Salt Security API Protection Platform alongside your API gateway, please contact us or request a customized demo. You can also request an API Security Gap Assessment to better understand your API landscape and gain personalized remediation insights.
*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Stephanie Best. Read the original post at: https://salt.security/blog/api-gateway-security-what-is-it-and-is-it-enough