Blocking API Runtime Threats

June 20, 2022

Harold Bell

Post Featured Image

Organizations are achieving new levels of connectivity, productivity and agility through the use of APIs. They use APIs to connect internal applications, accelerate processes with their business partners and even deliver data services to the public. But a small fraction of organizations are able to keep tabs on the thousands, if not tens of thousands of APIs making data calls within their digital ecosystem. Even fewer are fully prepared to protect against runtime API threats. And the fact is, misconfigured and hacked APIs are behind some major data breaches.

What are API runtime threats?

APIs are the de-facto backend of any web app, mobile app, or B2B collaboration developed in the last several years. Just as with web applications, APIs often use HTTP/S, which allows access to services via a web browser. HTTP is also the common protocol for REST APIs. But other API protocols used heavily in enterprise software include JSON, GraphQL, SOAP, XML-RPC, and gRPC. Each of these protocols brings its own strengths and weaknesses as well as its own security considerations that leave room for vulnerabilities if misconfigurations are made. Potential API runtime threats can include excessive data exposure, injection flaws, broken authentication and authorization, and DoS/DDoS attacks among others.

Where do you start with API security?

API security begins with many of the same foundational technologies organizations use for protecting traditional web applications. This includes a network firewall and a web application firewall (WAF).

Network firewalls protect OSI model Layers 3 and 4, where data transfer and network traffic attacks occur. Including those aimed at DNS, FTP, SMTP, SSH and Telnet. WAFs operate at the application level, Layer 7. They monitor and filter traffic between web applications and the internet. This includes defending against cookie manipulation, SQL injection, and URL attacks.

But firewalls have limitations and most organizations are not secure from the more complex and dynamic risks that can be imposed by API usage. Network firewalls depend upon known bad sources and cannot be relied upon on their own to detect data misuse. And WAFs, though focused more on user behavior, are resource intensive, hard to update dynamically, and can slow performance. Not to mention, legacy or zombie APIs that aren’t routed through a WAF aren’t even visible.

The complete application security stack also needs capabilities such as rate limiting, DDoS protection, as well as anti-malware and encryption implementation. And even with the use of API gateways, typically the tool for enforcing authentication and authorization, the stack isn’t complete. To be able to detect all runtime API threats, organizations need to get deeper visibility into the applications that are being protected.

How do you block API threats?

Because APIs have been specifically designed to enable easy connections and data flow across applications, it’s expected that they should be actively moving data. That means it can be difficult for traditional security tools to discern between a legitimate and malicious request by an API. Unless there is an existing understanding of how data is supposed to be used and by whom.

Authentication and authorization is more complex when it comes to APIs than in traditional web applications. While a web app may rely on a CAPTCHA system to filter out non-humans, those sorts of controls don’t work well for machine-to-machine authorization. Blocking runtime API threats requires an ability to protect data by leveraging more context. Specifically, information about how each API is intended to be used. To accomplish this, there needs to be a whole new layer in the application security stack – an API security platform.

An important first step is to assess the API security posture. This is a fancy way of saying use an API discovery tool that finds and inventories all your APIs. Most notably your legacy and shadow APIs. Upon running these tools, many organizations are shocked to find the sheer number of APIs and interdependencies at play.

The right discovery tools can identify each API, its owner, the types of sensitive data it interacts with, how it is routed, its associated physical resources, and to which business unit or application it belongs. Once an organization’s unique API footprint is inventoried, API security tools can continually monitor for vulnerabilities and misconfigurations.

Once you have an idea of your API estate, you want to employ AI and machine learning capabilities to monitor traffic. The aim here is to build a baseline understanding of typical behavior in order to detect what’s anomalous. Real time traffic analysis will provide contextual insights into data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.

The best API security platforms also integrate with existing security systems. The API security platform reports any suspicious behavior, misconfigurations and data policy violations to the API gateway, SIEM system, and other application security engines in order to inform the larger security team. Firewalls and WAFs are then used to take action.

Often, as organizations layer in API security functions, they begin with manual or semi-automated approaches to blocking threats. But given the complexity of the interactions of dozens of APIs that enable any single application, authentication and authorization cannot realistically be managed manually. Because APIs are so active and always changing, API security platforms use machine learning to correlate data usage. This enables them to identify any anomalies in API behavior using a comprehensive understanding of intended application logic and business context. It also ensures that applications aren’t behaving badly and they aren’t being incorrectly blocked.

Where can I learn more about runtime threats?

As APIs increasingly form the core of modern application architecture, there’s no question that protecting them is becoming a top priority for security leaders worldwide. Organizations are beginning to understand the risk at play as they discover the number of APIs upon which they rely, and are reacting with application security strategies and tools that keep pace with agile development processes. They are also realizing that spotting anomalous API behavior, misconfigurations and data policy violations requires a sophisticated platform.

To learn more about API Runtime Protection, download our whitepaper, Continuous Security for APIs. It will walk you through the discovery, analysis, remediation and testing phases for a holistic API security posture.