API Security FAQ

Learn all you need to know about email best practices, deliverability, and tools with email whitepapers and ebooks.

Issue link: https://hub.dyn.com/i/1030127

Contents of this Issue


Page 1 of 3

How do APIs become a security risk? APIs are essential to building open applications and particularly popular in mobile apps. To give a sense of the size of the market, one API development platform alone—Postman—is used by more than 5 million developers. But the more frequently APIs are used to make our web experiences more fulfilling, the more broadly they expand the attack surface for cybercriminals. They are attractive targets for the same reasons they are attractive to developers: APIs are open and integrate with other applications and services. They provide cybercriminals with a window not only to the open applications, but to all the data that can be accessed by those applications. Leaving API security as the responsibility of DevOps teams alone is risky. With the rise of DevSecOps, more teams are building security into APIs, but even that is not going to provide the protections you need at all of your endpoints. And as cybercriminals become more sophisticated in their attack methods, you want the flexibility to incorporate innovative new methods of protection and continuously monitor and tune your API security management policies as the environment changes. What types of vulnerabilities do APIs create? Distributed denial-of-service (DDoS) attacks and bots are by far the biggest API security concern. According to a survey of 250 IT and security professionals, nearly 40 percent ranked DDoS attacks and bots as their main API security concern, while 24.4 percent cited authentication enforcement. On average, the companies surveyed managed 363 different APIs, with nearly 70 percent exposing APIs to the public and partners. 7 7 Ibid. footnote 6 One of the reasons DDoS and botnet attacks are targeting APIs is because many organizations don't have the proper security protections. Traditional API protection solutions rely on IP rate limiting and basic DDoS protection techniques. While necessary, these are not sufficient. You need a solution that can vet API requests, using advanced algorithms to determine their legitimacy. This way, you can eliminate API attacks at the edge of the network, allowing only authorized traffic to pass through seamlessly. This enables you to protect web services from DDoS attacks and malicious bots without compromising legitimate API traffic from customers and partners. Is a traditional web application firewall (WAF) enough to secure API endpoints? A basic WAF won't provide you with the full protection you will need against API attacks. API security should be part of a holistic approach to cybersecurity that provides a unified view of all attack vectors and offers centralized management and monitoring of your entire web environment. Your web application and API security solution should provide protection against DDoS attacks as well as malicious bots, since those are the leading attack vectors. Malicious actors don't care how they get into your network, so they are looking at all your vulnerabilities, not just APIs. Your approach to defense should be similarly agile, flexible and integrated. What are the key capabilities, features, and functions to look for in an API security solution? You don't want a solution that relies only on IP rate limiting. That won't give you the full protection you need at the edge and will let malicious traffic through. Nor do you want to rely on a WAF that FREQUENTLY ASKED QUESTIONS: UNDERSTANDING API SECURITY 2

Articles in this issue

view archives of eBooks - API Security FAQ