How web applications are attacked via APIs

Have a good Pi Day everyone! As a technician, ft is a number that represents a constant. This constant reflects ongoing cyber threats that expose enterprise assets to continued risk as digital transformation and the resulting attack surface grows alongside it. Whether it’s a simple identity hack facilitated by a weak password or a complex state-sponsored cyber incident, security professionals are constantly striving to master the necessary defensive tools and techniques. creating a comprehensive security strategy.

The attack vector we are going to cover here is executed through Application programming interfaces (API), software intermediaries allowing applications to communicate with each other. What about the APIs that make them so attractive as a vector for web application security breaches and what can we as security professionals deal with this threat? In this article, we’ll explain why cybercriminals are targeting APIs, why current application security practices are insufficient to manage the threat, and what technologies are currently available to overcome API security challenges.

Why Cybercriminals Target APIs

If history has taught us anything, it’s that there are no free spins when it comes to innovation. Fantastic web applications have opened up a goldmine of e-commerce earning opportunities only for bad bot attacks to work to badly degrade the process. Collaboration technologies transform distributed teams into ultra-productive digital workforces for phishing attacks to expose billions of sensitive personal data items to exfiltration and theft. Today, cloud-native application development offers businesses unprecedented flexibility, speed, and cost. APIs are the cornerstones of this rapid cloud-native development process, and for good reason. APIs simplify low-level software layers and allow developers to focus on the core functionality of their applications. Across the enterprise, APIs both lower the barrier to entry for inexperienced developers and increase efficiency for more experienced people. Consequently, the use of APIs has increased significantly. Analysis of WAF cloud traffic by Imperva Research Labs showed that the proportion of web traffic coming from APIs increased by 30% in 2022, compared to the same period last year. As the volume of API traffic increases, it becomes a greater threat to an organization’s sensitive data. Motivated attackers will increasingly target APIs as a route to the underlying infrastructure and database.

Why Web Application Firewalls and DDoS Protection Are Not Enough to Protect APIs

Web Application Firewall (WAF) and DDoS Protection have been for some time de facto tools for securing web applications. As digital transformation initiatives have intensified, developers have integrated things like microservices and open-source tools into the app development process, dramatically increasing reliance on APIs. Unfortunately, organizations have a limited view of the security of the APIs provided with these new elements. DDoS protection is essential to stop DDoS attacks where attackers try to overwhelm an API with a large number of requests in a short time. However, if you don’t know the full schema or the changes that have been made to the schema of an API facing a deluge of requests, you don’t know how it will react to an attack. This compromises the effectiveness of any DDoS protection.

Get real API visibility and security

Imperva offers an easy-to-use tool that addresses the complex risks associated with APIs. Organizations can use Imperva API Security to create the visibility into the APIs needed to secure them. This tool provides comprehensive contextual data and tags and automatically determines sensitive data risks without requiring development teams to publish APIs via OpenAPI or adding a resource-intensive workflow to their CI/CD processes. Security teams can embed a positive security model to protect their organization against API-based threats. Whenever an API is updated, Imperva API Security notifies security teams and helps them understand any new risks and integrate the changes. This leads to faster and more secure software release cycles.

Imperva API Security automatically discovers the complete schema of each API while identifying and classifying the data that passes through it and improving an organization’s security posture. It also enables continuous discovery of APIs and schema changes, automatically updating APIs as they change in production. The flexible deployment model provides protection for public and backend APIs in a single solution without slowing down development teams and works in legacy, hybrid, and cloud-native environments, including Kubernetes, legacy monolithic applications, autonomous microservices, etc The tool also digs deeper and uncovers the underlying payload of each API to help security managers apply a governance model and mitigate potential data breaches.

Imperva API Security enables security teams to keep pace with innovation without affecting the speed of development. The tool mitigates the risk of data breaches and data leaks by discovering phantom APIs and suggesting corrective actions to software developers and security administrators.

Get more insights directly from the experts

Imperva’s new webinar explains how this API security tool provides the right balance of visibility and protection that security and DevSecOps teams need.

Join us on March 30 and find out about:

  • Trends driving rapid API adoption and the emerging risk surface resulting from outdated API inventory
  • Where application security fits into API protection and risk reduction
  • Which tools are best to cover each part of the OWASP API Top 10
  • A strategy to discover and classify each API in and out of production

Hear from two industry experts on API security and how APIs have become the lingua franca of the internet today, and why you need to act fast to prevent data breaches. Book your place today.

The post office How web applications are attacked via APIs appeared first on Blog.

*** This is a syndicated blog from the Security Bloggers Network of Blog written by John Oh. Read the original post at: