With the move to 'Open Everything', APIs played a pivotal role in bringing open ecosystems and transformative initiatives to fruition. Simply put, APIs are the building blocks of online connectivity, providing a medium for multiple applications, data, and devices to interact with each other.
API adoption is vital in many industries. According to the recent Enterprise API Security Survey, 4 out of 5 organizations already enable their partners (B2B) or users (B2C) to access their data using external APIs.
Today, more than 71% of large enterprises already use more than 50 APIs, with 80% of these enterprises publishing APIs for partners or clients. Despite their incredible benefits, APIs also come with significant vulnerabilities and risks that transform and expand the attack surface.
The rise of functional attacks
Unquestionably, publishing and giving access to more APIs means you are exposing more functionalities of previously hidden business logic in applications. By design, APIs increase the attack surface. Moreover, the interfaces increase relationship complexities between functions and data objects, potentially creating exploitable vulnerabilities.
Attackers are looking for cracks in APIs to employ new attack tactics. What's worse, these new threats, referred to as functional attacks, frequently trounce traditional application security tools. This is why understanding what these functional attacks are is essential for security professionals looking to protect their organization's data and systems.
In what ways do functional attacks impact APIs? Functional attacks look like typical requests targeting the expected API call flow. Accordingly, standard protective measures do not detect them as threats, meaning that general-purpose application security tools like WAF are not up to the mark in API security. Malicious calls are made by authentic users; detection occurs only after analyzing the application's behavior for anomalies.
Learn more about functional attacks and the steps you can take to prevent them.
Your WAF is not enough
As APIs rapidly evolve from just a technological infrastructure to become the new application, the importance of API security continues to grow. A key finding in the survey conducted by Imvision is that API security is now a top priority among enterprise security leaders. As many as 90% of security leaders intend to make API security a priority over the next year, while 80% aim to gain more control over their APIs. A mere third of security leaders believe their APIs have the necessary protection.
It’s tempting to think that the many layers of data, network, application, and cloud protection are enough to secure APIs. But this is not the case, since APIs have unique functionalities and designs. That way, APIs remain highly vulnerable to functional attacks with no signatures that exploit unique design and application defects.
Imvision’s survey affirms that existing general-purpose security tools, such as WAF, have gaps that compromise the ability to effectively identify malicious usage by unauthenticated users. The problem with traditional security solutions lies in their inability to learn the application context to detect anomalies. Accordingly, 50% of security leaders commented that WAF and SAST/DAST are not in their roadmap for API security.
With the expansion of the API attack surface, many enterprises recognize that their current security tools are limited. Legacy security solutions are mainly rule-based. This feature makes them hard to scale and hard to maintain and often results in high false positives.
Agnostic to the actual application context, these solutions provide the same protection capabilities using known threat signatures and vulnerabilities. They intend to protect APIs the same way, regardless of the unique business logic that governs the way an API functions.
API security is the new application security
We have seen that the existing API security backbone and WAF offer little to no cover for advanced API threats and functional attacks. Since functional attacks illegitimately leverage authentic API calls, general-purpose security solutions are inefficient in robust API protection.
How enterprise security leaders are rethinking application security in the API-first era
1. Start with collaboration
Going by the Imvision API Security Survey findings, it is evident that centralized integration teams are the go-to option for enterprises when it comes to handling API security. At the same time, many security leaders think they should be the ones responsible for APIs. This situation suggests that collaboration is needed to leverage the experience of traditional enterprise security areas, combined with a deep understanding of the particular challenges presented by the unique nature of APIs.
2. Understand the API business logic
Detecting zero-day API attacks starts with deep context. In this case, a deep understanding of the API business logic allows organizations to detect anomalous behaviors that break the logic. This can be achieved by learning the application behavior patterns through complete API data analysis. Achieving full data analysis of API data requires AI-powered models that analyze API traffic and automatically uncover how an app behaves. This approach effectively detects and mitigates complex attacks that might otherwise sneak past the legacy security measures.
3. NLP-based API security
With AI-based proactive and automated security mechanisms, enterprises can achieve ongoing security analysis that adapts itself in accordance with changes to API specifications. It is vital to recognize an API's functionalities to automatically tailor protection around it . That way, protection is enhanced with minimal false positives even as APIs evolve.
Natural Language Processing (NLP) – an AI technology that focuses on how computers understand natural human language – can empower a new, context-aware layer of protection. NLP algorithms can analyze API dialogues, which use common English to structure requests and responses. This method effectively uncovers deep relations between data objects in different contexts, differentiates between properly structured requests/responses and anomalies that use the wrong hierarchy when requesting data objects, or employs different representations of the API data.
That way, NLP provides a way to identify applications that incorrectly describe API resources and fields. AI-based NLP solutions provide high accuracy by automatically learning API business logic and going beyond metadata analysis. Also, using NLP does not require comprehensive and ongoing maintenance to ensure all sensitive data is identified and protected.
This allows organizations to scale protection since it provides high accuracy and discards meaningless activities. Additionally, security analysts can use NLP results to explain the meaning of specific anomalies given the objects on which they occurred, their characteristics, the manipulated relationship, affected devices, and users. With such rich insights, organizations can achieve faster remediation and improved collaboration.
The road ahead
The proliferation of APIs will intensify. While this is great news for customer experience and business innovation, the increased use of APIs also means the attack surface will keep growing at a similar pace. With traditional security measures like WAF proving futile in ensuring API protection, security professionals need a new approach in their security strategies.
Collaboration, in-depth understanding of API business logic, and applying NLP-based API security will enable enterprises to gain the visibility and insights needed for effective governance and controls. These approaches enhance the ability to influence and reinforce security standards across the organization, resulting in better protection.
