Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 34 of 53

apps, mobile users, and web-based partners, and APIs are becoming a major security risk that are often overlooked. Attackers under‐ stand that APIs can be manipulated to expose sensitive data, are vul‐ nerable to man-in-the-middle (MITM) attacks, and can certainly be affected by denial-of-service (DoS) attacks, as well. Defending pub‐ licly exposed APIs as the next line of defense is becoming increas‐ ingly important. Most people don't realize that the growth and usage of APIs on the internet is soaring higher than ever before. APIs are being used by all sorts of organizations to increase their ability to provide goods and services on the internet, while streamlining their operations and application usages by end-users and partners alike. Having methods of protecting these API from all sorts of malicious activities is becoming imperative, given that attackers have determined that poorly protected APIs are a new attack target. Like browser-based web applications, APIs can be used to expose a glut of previously unknown vulnerabilities. Having defenses in place to protect APIs makes a great deal of sense today. From upstream reverse proxies limiting the amount of traffic any API server can receive, and bot detection and mitigation by way of implementing security token challenges to validate legitimate calls, to WAFs applying relative rules to API traffic, increasing levels of protection can be achieved. Because adequately protecting APIs requires the functionality of the other upstream lines of defense, having all lines of defense at hand will allow organizations to safely increase their usage of APIs well into the future. Defensive Line 8: Caching The final line of defense is most often thought of in the context of website speed and consistent performance—from a visitor perspec‐ tive. These days, having responsive sites and applications are essen‐ tial due to visitors' expectations. In the past, visitors were more lenient with slow response times, sluggish screen repaints, time- consuming downloads, and so forth. But today, visitors are generally unforgiving if there is a delay in accessing the information they desire. Therefore, caching is an important final line of defense. Caching not only improves site responsiveness, it provides a line of defense to protect the downstream origin servers from a host of dif‐ ferent assaults. Attackers understand that site and application Defensive Line 8: Caching | 25

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth