APIs (Application Programming Interfaces) have been around since the 1970s during the early days of the symbiotic hardware-software driven APIs. APIs became more prevalent following the natural advancement of ANSI protocols and the emerging Java standards resulting in the modern multi-tier API approach that is the foundation of the current multi-channel digital transformation.
The meteoric rise of APIs has resulted in groundbreaking application agility. On the flip side, it has made the organizations that use them vulnerable to cyberattacks. According to Gartner, API abuses will be the most-frequent attack vector in 2020, resulting in data breaches for enterprise applications. Current cybersecurity defenses were never designed to protect APIs.
This makes them an ideal target for threat actors, as the large numbers and scale of API cyber incidents have shown. These incidents have resulted in financial losses of billions of dollars, leakage of petabytes of private data, and compromising the stability and integrity of critical applications and systems.
The Open Web Application Security Project® (OWASP), as the competent authority for everything related to web security, has been trying to address the enormous volume of vulnerabilities collections existing in the domain sequence from browser-to-web application servers. That’s why OWASP is publishing its updated Top10 Web Vulnerabilities list, including updates that shape and impact the design and functionality of every major WAF (Web Application Firewall) solution in the market.
When comparing the OWASP Top10 Web Vulnerability list to the Top10 API Vulnerability list, it is clear that not only are key vulnerabilities not addressed by WAF design, but also other significant API threat potentials are beyond the focus and capabilities of WAF solutions.
Although WAF solutions and services are essential for securing web traffic, they lack the ability to secure APIs. CISOs, CIOs, and the heads of DevOps departments understand that their critical business-related applications are not secure, but exposed and vulnerable.
As shown in the diagram above, the lack of API-1 Risk analysis capability of WAF solutions cannot detect all “Broken Object-level authorization” based exploitation. This means that they cannot address one of the most common attack surfaces used in hundreds of API-driven breach events. Due to the widespread use of object-based authorization and access control mechanisms in all modern applications, a minor variation in the API syntax (e.g., the JSON statement) can expose the API endpoint and result in leakage of sensitive information. Also, the exploitation of API-4 risk can be used effortlessly for service exhaustion and denial of service if no rate limiting variables are set.
Two years after the first OWASP API risk publication was launched, the correlation between API risks and massive cyber incidents became evident. This entails that the preliminary API risk factors published by OWASP are not aligned anymore with the current challenges. The potential for massive cyberattacks abusing the vulnerabilities in modern APIs is more prominent than ever before.
OWASP responded with its 2021 Top 10 List which focus on WEB Risks but starts to addresses API exploitation as the key trigger in major cyber events in every key market segment, from finance and open banking to IoT and 5G networking and commercial digital communication.
To identify those threats and their potential impact, an analytical AI-driven Application security platform must be put into place to mitigate all the detailed API and covered web risks. This provides a wide security framework to mitigate advanced API threats.
The optimal way to protect APIs is a holistic approach resulting in an advanced threat mitigation strategy and consist of a balanced blend of technologies & tactics. A fully automated AI-based API security that adopting such an approach is Ammune™ by L7 Defense. Its AI/ML-driven analytical security technologies allow for resulting in a micro protection shield for each analyzed APIs. L7 Defense’s advanced API adaptive protection capabilities and cutting-edge API discovery abilities allow for detecting APIs down to the argument level resolution. Furthermore, AmmuneTM offers a complete defense strategy that allows the fusion of multiple threat mitigation mechanisms with trailblazing automation features for real-time inline mitigation based on a holistic approach to API security.
To conclude, AmmuneTM by L7 Defense actively protects APIs in real time against cybersecurity attacks. The fully automated AI-based API security offering actively protects APIs in real time - Inline, automated, and highly accurately against the most advanced cyberattacks, on cloud & on-premise.