APISEC : SALT API SECURITY

API security, like any other security issue, should be a combination of many improvement efforts and part of your business.

Here are some things to consider when addressing modern threats;

Authentication

While authentication is the foundation of a security strategy, it is a low bar for an attacker to clear when it comes to API security. Relying on authentication alone can give you a false sense of security. We cannot underestimate how trivial this can be for a determined attacker. It is not difficult to obtain a set of credentials through phishing or other means.

Authorization

After authentication of a user, what they are allowed to do is controlled through authorization. Authorization defines what a user is and is not authorized to do. APIs form a complex web, with logic specific to each application, but this complexity increases as multiple applications are connected through the API. On top of that, the various roles and authorization requirements of users, administrators, developers, etc. make this network even more complex.

Rate Limiting

Another approach to API security is to limit the amount of API request activity. Rate limiting can prevent volume-based distributed denial of service DDoS and credential attacks or bots from scraping and manipulating site data.

Web Application Firewalls

With modern API attacks, the golden age for Web Application Firewalls (WAF) is partially over. Most of these tools were able to identify predictable attacks based on signatures and rules, such as attacks like cross-site scripting (XXS) and SQL injection (SQLi).The challenge with WAFs is that they depend on a combination of signatures - signatures need to be kept up to date to block the latest types of attacks. And your security is as up to date as your latest update.

Shift Left

A number of development approaches have been adopted to improve their APIs before going live. Code scanning, penetration testing and making developers more security conscious. These approaches help, but they are also complex, time-consuming and expensive, while still leaving gaps. With limited development resources, fixing vulnerabilities can be difficult. And a developer will never think like an attacker looking for detours.

You've done all this, so why are you still at risk?

While traditional security approaches are still relevant, the following are essential capabilities to ensure value in your security stack, providing protection for your modern applications and APIs.

Signatureless and Configuration-Free Architecture

Applications are constantly changing and the logic for each application is unique, so signatures are ineffective. Configuration takes time and expertise and is error-prone, or at least likely to be incomplete. Security solutions need to learn the unique details of your security system. To be effective, it must adapt autonomously and automatically keep pace with changes.

Continuously Updated Inventory

Creating a comprehensive inventory of APIs is critical to understanding your risk and aligning your risk appropriately. Keeping your current API catalog automatically updated allows you to be aware of shadow and zombie APIs and recognize sensitive data leaking APIs.

Attack Detection and Prevention

To effectively detect and prevent API attacks, a deep understanding of the logic of each API is required. A solution based on this should learn and base the typical behavior for your APIs and be able to detect subtle deviations from this typical baseline in order to stop it. Deviations fall into two categories; harmless ones and malicious ones. The solution must distinguish between the two and focus only on the malicious ones. It should help security teams focus on the truly malicious ones and block them quickly. Providing this insight early is critical to stopping an attacker before they reach their ultimate goal.

Eliminating Vulnerabilities

The best way to improve security is for developers to eliminate vulnerabilities. Because developers' primary focus is on creating new features and innovating, they often work under tight schedules. Clear insights into why a vulnerability exists, where it exists and how best to resolve it contribute to an effective remediation process. Integrating these insights into existing developer tools further increases efficiency and bridges the gap between security and workflow. It allows you to make the most of limited developer resources.

Summary

Traditional methods that once provided protection are no longer sufficient to protect against modern threats. Security strategies target the unique logic of applications, taking into account the evolution of applications and now the evolution of attackers. The solution must provide comprehensive and up-to-date visibility into dynamic, changing environments, as well as detect and stop subtle attacks targeting business logic. And finally, it should provide insights to help teams eliminate API vulnerabilities to continuously improve the security posture.

The only Patented API Context Engine (ACE) architecture for blocking API attacks is based on your environment and identifies anomalies. It looks for a suspicious pattern of activity and consolidates events into a single attacker timeline, reducing false positives and eliminating 96% of alerts. As a solution to bridge the gap between development and security, the SALT SECURITY Api Security Platform is a highly effective tool.

Natica Solutions

SALT Solutions