Web application programming interfaces (APIs) are a growing part of many organizations’ Internet-facing attack surface, and their unique nature makes them an ideal target of automated attacks. Therefore, it’s critical that organizations incorporate API security solutions into their application security strategy in order to identify and block attempted exploitation of their web APIs.
The security of web applications has been a priority for many organizations as applications are exposed to the Internet but also have access to sensitive and valuable data and functionality. Today, web APIs are rapidly becoming a major component of an organization’s Internet-facing attack surface. Web APIs are used by mobile devices, Software as a Service (SaaS) apps, and web applications, all of which are an increasingly common part of the modern Internet.
Web APIs perform many of the same functions as web applications. An important difference is that web applications are designed for human interaction, while web APIs are intended to be accessed by other programs.
Basically, this means that web APIs are vulnerable to many of the same types of attacks as web applications. For example, credential stuffing attacks that might be performed against a login page could target an API instead. Or, an attacker can exploit an SQL injection vulnerability to take advantage of an API’s database access in the same way that they would exploit a webpage with the same vulnerability.
However, the differences between web applications and web APIs can make these attacks easier or more effective when targeting an API. For example, credential stuffing attacks are automated attacks, so interacting with a system designed for programmatic access is faster and easier than automating interaction with a web app.
The OWASP Foundation is most famous for its list of the top ten web application vulnerabilities, which is updated every few years to reflect changing trends. However, it also has developed other resources and top ten lists that address the leading security threats to other systems of interest to web developers.
The OWASP API Security Top 10 list acknowledges the fact that, although web APIs share many vulnerabilities with web apps, they also have unique vulnerabilities as well. Some of the items on the list are shared with the web app top ten list, while others discuss the unique capabilities of APIs and their impacts, such as the need for rate limiting on requests to APIs.
One approach would be to use Web Application Firewalls (WAFs), which are designed to sit between a web application and the Internet. They inspect the traffic directed toward the web app and use their knowledge of how the web app works and common web app vulnerabilities to identify attempted exploitation of vulnerabilities within the web apps.
The other approach to web app security is the use of runtime application self-protection (RASP). RASP is deployed alongside or as part of a particular application. Using instrumentation and introspection, it achieves visibility into the inputs, outputs, and execution state of the application. Based on this insight, RASP is able to detect and prevent attempted exploitation of the web app. One bonus of this approach is that RASP can detect even novel and zero-day exploits because it looks for anomalous behavior by the web app – which any exploit would cause – rather than the signs of a known exploit.
Web APIs can benefit from both. Deploying network-level defenses weeds out the low-hanging fruit, while a more localized solution can prevent exploitation by more sophisticated or novel threats.
Companies’ Internet-facing attack surfaces are expanding. While, in the past, cybercriminals and defenders focused their efforts on web applications, web APIs are a growing target of attack. Mobile devices and mobile apps are growing in popularity, and the explosion of SaaS applications has also contributed to the rise of the web API.
As a result, organizations require web security solutions that protect the web API as well as the web application. CloudGuard AppSec is a next-generation web application and API protection (WAAP) solution that leverages artificial intelligence (AI) to detect and block attempted exploitation of web apps and APIs. This enables it to keep up with the rapid evolution of web APIs driven by DevOps practices and to block threats with minimal false positives.
Web applications and APIs are a common target of cybercriminals and can be a major hole in an organization’s defenses. To learn more about how to protect your web apps and APIs with CloudGuard API, check out this ebook. You’re also welcome to request a demo to see CloudGuard Appsec in action or try it out for yourself with a free trial.