Why Traditional Approaches Don’t Work for API Security
API sprawl, which Brian Otten, VP of the digital transformation catalysts division with Axway, defined as “an uncontrolled proliferation of APIs in an organization,” is creating a flood of new security headaches for organizations. One of the biggest problems in providing security for APIs is that sprawl makes them difficult to track and inventory. And it may be that traditional security methods will not work to detect and protect applications that rely on API.
Where Traditional Security Solutions Fail
The traditional solutions used for API security are those that are already in the application security space, such as web application firewalls.
However, said Edward Roberts, VP of marketing at Neosec, in an email interview, there is confusion in the market, and many are under the mistaken impression that solutions like this also protect their APIs. That’s not always the case.
“These products were never built to protect APIs and rely on rules or signatures to detect bad requests,” said Roberts.
People also misunderstand API gateways, Roberts added, which, while they do provide some basic security features like authentication, authorization and rate limiting, were never intended as serious security solutions to protect APIs from abusive traffic.
“An analogy is to think of APIs like a system of roads that connect businesses to their partners and customers,” explained Roberts. “These API requests are cars traveling on the API road. Within the car is data, and some contain sensitive information like PII.”
If you are traveling in a car, you require a road map to get you from one point to the next, and even if you are familiar with the trip, new construction can throw you off the planned route. It’s not much different with API security. Most organizations don’t have a comprehensive map or inventory of the roads they have created, and because building new APIs is easy, the map is constantly changing and growing.
“This is why continuously discovering APIs is the first security problem that needs addressing. You can’t protect what you cannot see,” said Roberts.
APIs don’t follow a known path or pattern, Michelle McLean, VP of marketing at Salt Security, said in a video interview, and that will make it easy to get lost along the security highway.
“Your APIs are different from my APIs, so the way someone would attack your APIs is different,” McLean said. Because of the uniqueness of APIs, you can’t used the tried and true roadmap offered by traditional security.
It takes a while to build the picture of how APIs work and how a threat actor will approach the attack, McLean added; therefore, the defense mechanisms have to be different.
Context Over Time
To be good at API security, said McLean, you need a lot of data over time. This could take weeks to learn the activity and collect the data to understand the risks and threats to APIs.
The tools you have for your other solutions, including those for application security, will work great for those other tools. APIs are a completely different technology in your network and require a different approach. Some organizations are turning to zero-trust, while others see shift left as the answer.
“Use traditional security testing tools to verify certain elements of an API implementation such as well-known misconfigurations or vulnerabilities, but realize these tools have limitations,” a TruthinIT blog post advised. Just as you have security best practices for other areas of your organization, developing a unique set of security practices for APIs, in addition to deploying tools especially for APIs, will provide the protection and detection needed to address vulnerabilities and other risks.
“API solutions must provide visibility and offer continuous discovery of existing and new APIs, the ability to audit APIs for risks and vulnerabilities, the intelligence to use behavioral analytics to detect normal and abnormal usage and the ability to investigate and hunt for threats lurking in the data,” said Roberts.