Apr 15 2026

API Security in the Age of AI: Why Vulnerability Assessment Is Non-Negotiable

Category: AI,AI Governance,API securitydisc7 @ 12:23 pm

API Security — what it is and why it matters
API security is the practice of protecting application programming interfaces (APIs) from unauthorized access, abuse, and data exposure. APIs are the connective tissue between systems—apps, services, partners, and now AI models. Because they expose business logic and sensitive data directly, a single weak API can bypass traditional perimeter defenses. With over 80% of internet traffic now API-driven, attackers increasingly target APIs to exploit authentication flaws, misconfigurations, and excessive data exposure. In short, if your APIs are exposed, your core systems are exposed.

Why API security is critical (even more with AI in the mix)
If you’re already using AI tools, API security becomes non-negotiable. Most AI systems—LLMs, agents, automation workflows—rely heavily on APIs for data retrieval, decision-making, and action execution. That means every AI capability you deploy expands your API attack surface. A vulnerable API can allow attackers to manipulate inputs to AI models, extract sensitive data, or trigger unintended actions. AI doesn’t reduce risk—it amplifies it if the underlying APIs aren’t secured and tested.

Why API security matters for AI Governance
AI governance is about accountability, control, and trust in how AI systems operate. APIs are the execution layer of AI governance—they enforce (or fail to enforce) policy. If APIs lack proper authentication, authorization, rate limiting, or logging, then governance controls are effectively bypassed. You cannot claim governance if you cannot control who accesses your AI systems, what data they use, and what actions they perform. API security is therefore foundational to enforcing AI policies, auditability, and responsible use.

Why API security matters for security, compliance, and privacy
From a security standpoint, APIs are a primary entry point for attacks like broken authentication, privilege escalation, and data exfiltration. From a compliance perspective (ISO 27001, SOC 2, HIPAA, GDPR, etc.), APIs must enforce access controls, protect sensitive data, and maintain audit trails. From a privacy standpoint, APIs often expose personally identifiable information (PII), making them high-risk vectors for breaches. A single vulnerable API can violate multiple regulatory requirements at once.

Context: why your API definition file matters
A 403 “unauthorized” response when attempting to access the API definition via URL simply means access is restricted—which is good—but it also highlights a gap: without the OpenAPI/Swagger (JSON/YAML) definition, a proper security assessment cannot be performed. Modern API security testing—especially AI-assisted scanning—depends on structured API definitions to understand endpoints, parameters, authentication flows, and data models. Without it, testing is incomplete and blind to deeper vulnerabilities.

Why API vulnerability assessment is imperative
API vulnerabilities are not theoretical—they are routinely used for privilege escalation, allowing attackers to move from basic access to administrative control. Given the scale of API traffic and their direct exposure to business logic, continuous API assessment is essential. This is even more critical when APIs are used by AI systems, where a flaw can propagate automated decisions at scale.

My perspective
API security is no longer a technical subdomain—it’s the control plane of modern digital and AI ecosystems. If your APIs are not fully inventoried, documented, and continuously tested, your security posture is incomplete—regardless of how strong your traditional controls are. In the AI era, API security is governance. It’s where policy meets execution. And without visibility (API definitions) and validation (security testing), you’re operating on trust rather than control—which is exactly where attackers thrive.

Secure APIs: Design, build, and implement

Schedule a consultation or drop a note below: info@deurainfosec.com

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Is your AI strategy truly audit-ready today?

AI governance is no longer optional. Frameworks like ISO/IEC 42001 AI Management System Standard and regulations such as the EU AI Act are rapidly reshaping compliance expectations for organizations using AI.

DISC InfoSec brings deep expertise across AI, cybersecurity, and regulatory compliance to help you build trust, reduce risk, and stay ahead of evolving mandates—with a proven track record of success.

Ready to lead with confidence? Let’s start the conversation.

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: API Security

Apr 07 2026

AI Security = API Security: The Case for Real-Time Enforcement

Category: AI,AI Governance,AI Governance Enforcement,AI Guardrails,API security,Information Security,ISO 42001disc7 @ 9:33 am

AI Governance That Actually Works: Why Real-Time Enforcement Is the Missing Layer

AI governance is everywhere right now—frameworks, policies, and documentation are rapidly evolving. But there’s a hard truth most organizations are starting to realize:

Governance without enforcement is just intent.

What separates mature AI security programs from the rest is the ability to enforce policies in real time, exactly where AI systems operate—at the API layer.

AI Security Is Fundamentally an API Security Problem

Modern AI systems—LLMs, agents, copilots—don’t operate in isolation. They interact through APIs:

  • Prompts are API inputs
  • Model inferences are API calls
  • Actions are executed via downstream APIs
  • Agents orchestrate workflows across multiple services

This means every AI risk—data leakage, prompt injection, unauthorized actions—manifests at runtime through APIs.

If you’re not enforcing controls at this layer, you’re not securing AI—you’re observing it.

Real-Time Enforcement at the Core

The most effective approach to AI governance is inline, real-time enforcement, and this is where modern platforms are stepping up.

A strong example is a three-layer enforcement engine that evaluates every interaction before it executes:

  • Deterministic Rules → Clear, policy-driven controls (e.g., block sensitive data exposure)
  • Semantic AI Analysis → Context-aware detection of risky or malicious intent
  • Knowledge-Grounded RAG → Decisions informed by organizational policies and domain context

This layered approach enables precise, intelligent enforcement—not just static rule matching.

From Policy to Action: Enforcement Decisions That Matter

Real governance requires more than alerts. It requires decisions at runtime.

Effective enforcement platforms deliver outcomes such as:

  • BLOCK → Stop high-risk actions immediately
  • WARN → Notify users while allowing controlled execution
  • MONITOR_ONLY → Observe without interrupting workflows
  • APPROVAL_REQUIRED → Introduce human-in-the-loop controls

These decisions happen in real time on every API call, ensuring that governance is not delayed or bypassed.

Full-Lifecycle Policy Enforcement

AI risk doesn’t exist in just one place—it spans the entire interaction lifecycle. That’s why enforcement must cover:

  • Prompts → Prevent injection, leakage, and unsafe inputs
  • Data → Apply field-level conditions and protect sensitive information
  • Actions → Control what agents and systems are allowed to execute

With session-aware tracking, enforcement can follow agents across workflows, maintaining context and ensuring policies are applied consistently from start to finish.

Controlling What Agents Can Do

As AI agents become more autonomous, the question is no longer just what they say—it’s what they do.

Policy-driven enforcement allows organizations to:

  • Define allowed vs. restricted actions
  • Control API-level execution permissions
  • Enforce guardrails on agent behavior in real time

This shifts AI governance from passive oversight to active control.

Built for the API Economy

By integrating directly with APIs and modern orchestration layers, enforcement platforms can:

  • Evaluate every request and response inline
  • Return real-time decisions (ALLOW, BLOCK, WARN, APPROVAL_REQUIRED)
  • Scale alongside high-throughput AI systems

This architecture aligns perfectly with how AI is actually deployed today—distributed, API-driven, and dynamic.

Perspective: Enforcement Is the Foundation of Scalable AI Governance

Most organizations are still focused on documenting policies and mapping controls. That’s necessary—but not sufficient.

The real shift happening now is this:

👉 AI governance is moving from documentation to enforcement.
👉 From static controls to runtime decisions.
👉 From visibility to action.

If AI operates at API speed, then governance must operate at the same speed.

Real-time enforcement is not just a feature—it’s the foundation for making AI governance work at scale.

Perspective: Why AI Governance Enforcement Is Critical

Most organizations are focusing on AI governance frameworks, but frameworks alone don’t reduce risk—enforcement does.

This is where many AI governance strategies fall apart.

AI systems are dynamic, API-driven, and often autonomous. Without real-time enforcement:

  • Policies remain static documents
  • Controls are inconsistently applied
  • Risks emerge during actual execution—not design

AI governance enforcement bridges that gap. It ensures that:

  • Prompts, responses, and agent actions are monitored in real time
  • Policy violations are detected and blocked instantly
  • Data exposure and misuse are prevented before impact

In short, enforcement turns governance from intent into control.

Bottom line:
If your AI governance strategy cannot demonstrate continuous monitoring, control, and enforcement, it is unlikely to stand up to audit—or real-world threats.

That’s why AI governance enforcement is not just a feature—it’s the foundation for making AI governance actually work at scale.

Ready to Operationalize AI Governance?

If you’re serious about moving from **AI governance theory → real enforcement**,
DISC InfoSec can help you build the control layer your AI systems need.

Most organizations have AI governance documents â€” but auditors now want proof of enforcement.

Policies alone don’t reduce AI risk. Real‑time monitoring, control, and enforcement do.

If your AI governance strategy can’t demonstrate continuous oversight, it won’t stand up to audit or real‑world threats.

DISC InfoSec helps organizations operationalize AI governance with integrated frameworks, runtime controls, and proven certification success.

Move from AI governance theory to enforcement.

Read the full post below: Is Your AI Governance Strategy Audit‑Ready — or Just Documented?

Schedule a free consultation or drop a comment below: info@deurainfosec.com

DISC InfoSec — Your partner for AI governance that actually works.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Is your AI strategy truly audit-ready today?

AI governance is no longer optional. Frameworks like ISO/IEC 42001 AI Management System Standard and regulations such as the EU AI Act are rapidly reshaping compliance expectations for organizations using AI.

DISC InfoSec brings deep expertise across AI, cybersecurity, and regulatory compliance to help you build trust, reduce risk, and stay ahead of evolving mandates—with a proven track record of success.

Ready to lead with confidence? Let’s start the conversation.

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: AI security, API Security

Apr 06 2026

AI-Native Risk: Why AI Security Is Still an API Security Problem

Category: AI,AI Governance,AI Governance Enforcement,API security,Information Securitydisc7 @ 9:29 am

1. Defining Risk in AI-Native Systems
AI-native systems introduce a new class of risk driven by autonomy, scale, and complexity. Unlike traditional applications, these systems rely on dynamic decision-making, continuous learning, and interconnected services. As a result, risks are no longer confined to static vulnerabilities—they emerge from unpredictable behaviors, opaque logic, and rapidly evolving interactions across systems.

2. Why AI Security Is Still an API Security Problem
At its core, AI security remains an API security challenge. Modern AI systems—especially those powered by large language models (LLMs) and autonomous agents—operate through API-driven architectures. Every prompt, response, and action is mediated through APIs, making them the primary attack surface. The difference is that AI introduces non-deterministic behavior, increasing the difficulty of predicting and controlling how these APIs are used.

3. Expansion of the Attack Surface
The shift to AI-native design significantly expands the enterprise attack surface. AI workflows often involve chained APIs, third-party integrations, and cloud-based services operating at high speed. This creates complex execution paths that are harder to monitor and secure, exposing organizations to a broader range of potential entry points and attack vectors.

4. Emerging AI-Specific Threats
AI-native environments face unique threats that go beyond traditional API risks. Prompt injection can manipulate model behavior, model misuse can lead to unintended outputs, shadow AI introduces ungoverned tools, and supply-chain poisoning compromises upstream data or models. These threats exploit both the AI logic and the APIs that deliver it, creating layered security challenges.

5. Visibility and Control Gaps
A major risk factor is the lack of visibility and control across AI and API ecosystems. Security teams often struggle to track how data flows between models, agents, and services. Without clear insight into these interactions, it becomes difficult to enforce policies, detect anomalies, or prevent sensitive data exposure.

6. Applying API Security Best Practices
Organizations can reduce AI risk by extending proven API security practices into AI environments. This includes strong authentication, rate limiting, schema validation, and continuous monitoring. However, these controls must be adapted to account for AI-specific behaviors such as context handling, prompt variability, and dynamic execution paths.

7. Strengthening AI Discovery, Testing, and Protection
To secure AI-native systems effectively, organizations must improve discovery, testing, and runtime protection. This involves identifying all AI assets, continuously testing for adversarial inputs, and deploying real-time safeguards against misuse and anomalies. A layered approach—combining API security fundamentals with AI-aware controls—is essential to building resilient and trustworthy AI systems.

This post lands on the right core insight: AI security isn’t a brand-new discipline—it’s an evolution of API security under far more dynamic and unpredictable conditions. That framing is powerful because it grounds the conversation in something security teams already understand, while still acknowledging the real shift in risk introduced by AI-native architectures.

Where I strongly agree is the emphasis on API-chained workflows and non-deterministic behavior. In practice, this is exactly where most organizations underestimate risk. Traditional API security assumes predictable inputs and outputs, but LLM-driven systems break that assumption. The same API can behave differently based on subtle prompt variations, context memory, or agent decision paths. That unpredictability is the real multiplier of risk—not just the APIs themselves.

I also think the callout on identity and agent behavior is critical and often overlooked. In AI systems, identity is no longer just “user or service”—it becomes “agent acting on behalf of a user with partial autonomy.” That creates a blurred accountability model. Who is responsible when an agent chains five APIs and exposes sensitive data? This is where most current security models fall short.

On threats like prompt injection, shadow AI, and supply-chain poisoning, we’re highlighting the right categories, but the deeper issue is that these attacks bypass traditional controls entirely. They don’t exploit code—they exploit logic and trust boundaries. That’s why legacy AppSec tools (SAST, DAST, even WAFs) struggle—they’re not designed to understand intent or context.

The point about visibility gaps is probably the most urgent operational problem. Most teams simply don’t know:

  • Which AI models are in use
  • What data is being sent to them
  • What downstream actions agents are taking

Without that, governance becomes theoretical. You can’t secure what you can’t see—especially when execution paths are being created in real time.

Where I’d push the perspective further is this:
AI security is not just API security with “extra controls”—it requires runtime governance.
Static controls and pre-deployment testing are not enough. You need continuous AI Governance enforcement at execution time—monitoring prompts, responses, and agent actions as they happen.

Finally, your recommendation to extend API security practices is absolutely right—but success depends on how deeply organizations adapt them. Basic controls like authentication and rate limiting are table stakes. The real maturity comes from:

  • Context-aware inspection (prompt + response)
  • Behavioral baselining for agents
  • Policy enforcement tied to business risk (not just endpoints)

If you’re serious about moving from **AI governance theory → real enforcement**,
DISC InfoSec can help you build the control layer your AI systems need.

Schedule a free consultation or drop a comment below: info@deurainfosec.com

Tags: AI security, API Security

Mar 19 2026

Secure Your Web & API Applications Before Attackers Do: Reduce Vulnerabilities

Category: App Security,Information Security,Security vulnerabilities,Web Securitydisc7 @ 9:45 am

Secure Your Web & API Applications Before Attackers Do: Reduce Vulnerabilities, Prevent Breaches with DISC InfoSec

Modern businesses are powered by web applications and APIs—but they are also the primary entry points for cyberattacks. APIs expose critical data, services, and backend systems, making them highly attractive targets for attackers exploiting weaknesses like broken authentication, injection flaws, and misconfigurations. Without proactive testing, these vulnerabilities remain hidden—until they are exploited in a breach.

At DISC InfoSec, we help organizations take control of this growing risk through comprehensive Application Security Testing (AST) across web and API platforms. Our approach is designed to uncover real-world vulnerabilities before attackers do—protecting your applications, data, and business operations from evolving threats.

Our methodology combines vulnerability assessments, penetration testing, and automated scanning to deliver deep visibility into your application security posture. By simulating real-world attack scenarios, we identify critical weaknesses such as SQL injection, cross-site scripting (XSS), insecure endpoints, and authentication flaws—ensuring nothing is left exposed.

We go beyond one-time testing by enabling continuous security throughout your development lifecycle. Integrated into DevSecOps and CI/CD pipelines, our testing helps detect vulnerabilities early—when they are faster and cheaper to fix—reducing the overall attack surface and preventing costly breaches.

APIs are the backbone of modern digital ecosystems, and securing them is critical to protecting sensitive data. Our API security testing ensures that every endpoint, token, and data exchange is validated and protected—preventing unauthorized access, data leakage, and service disruptions while maintaining customer trust.

With DISC InfoSec, you also gain a compliance-driven security advantage. Our services align with leading frameworks such as ISO 27001, OWASP Top 10, and regulatory requirements—helping you demonstrate strong security posture, pass audits faster, and build confidence with customers, partners, and stakeholders.

The result is simple: reduced vulnerabilities, minimized breach risk, and stronger business resilience. In a threat landscape where applications are constantly under attack, DISC InfoSec ensures your web and API platforms are not just functional—but secure, compliant, and built to withstand real-world cyber threats.

Perspective:

Protecting applications—especially web and API platforms—is no longer just a technical best practice; it’s a business survival requirement. Modern architectures are API-first, which means your most valuable data and core business logic are constantly exposed to the internet. Every endpoint becomes a potential entry point. If vulnerabilities like broken authentication, injection flaws, or misconfigurations go unchecked, attackers don’t need to “break in”—they simply log in or query your APIs the way they were never intended to be used.

What makes this more critical today is the speed and scale of exploitation. Attackers are heavily automated, continuously scanning for weaknesses across thousands of applications at once. A single overlooked vulnerability in a web form or API endpoint can be discovered and weaponized within hours. Unlike infrastructure attacks, application-layer attacks are harder to detect because they often look like legitimate traffic—making prevention through proactive testing far more effective than relying on detection alone.

From a risk perspective, application vulnerabilities directly translate to data breaches, regulatory exposure, and revenue loss. Whether it’s customer data leakage, unauthorized transactions, or service disruption, the impact goes beyond IT—it affects brand trust, customer retention, and even valuation. In industries moving toward standards like ISO 27001 and secure-by-design principles, application security is becoming a board-level concern, not just a developer responsibility.

My view is simple: if your business runs on applications—and most do—then application security testing must be continuous, not periodic. It needs to be embedded into development (DevSecOps), aligned with risk management, and treated as a core control—not an afterthought. Organizations that do this well don’t just reduce vulnerabilities; they build resilience, accelerate sales cycles, and earn customer trust in a market where security is now a differentiator.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: API Security, API security risks, web security

Mar 22 2025

DISC InfoSec API Pen Testing

Category: API security,Pen Testdisc7 @ 5:37 pm

API Penetration Testing by DISC InfoSec

In today’s digital landscape, APIs are crucial for connecting applications and sharing data, but they can also introduce significant security risks if not properly safeguarded. DISC InfoSec offers specialized API penetration testing services to identify and mitigate vulnerabilities, ensuring your APIs remain secure and resilient against cyber threats.

Our approach includes a thorough analysis of API functionalities, focusing on authentication, data exchange, and business logic. We meticulously examine API documentation, requests, headers, and parameters to uncover potential weaknesses that could be exploited by attackers.

By simulating real-world attack scenarios tailored to your industry and infrastructure, we provide a comprehensive assessment of your APIs. This process helps you understand the potential impact of vulnerabilities on your systems, including risks to confidentiality, integrity, and availability.

Once the testing is complete, we deliver a detailed report highlighting the findings and providing actionable recommendations for remediation. To ensure vulnerabilities are effectively addressed, DISC InfoSec offers complimentary retesting within six months of the project’s completion.

Partnering with DISC InfoSec for API penetration testing enables your organization to proactively secure its applications, protect sensitive data, and maintain user trust. Regular testing and updates are essential for staying ahead of evolving threats and ensuring a strong cybersecurity posture.

Feel free to reach out to DISC InfoSec with any questions about the API penetration testing process.

API Security for White Hat Hackers: Uncover offensive defense strategies and get up to speed with secure API implementation

Pentesting APIs: A practical guide to discovering, fingerprinting, and exploiting APIs

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: API, API Security, PenTesting APIs

Oct 02 2024

6 biggest challenges of API Security

Category: API securitydisc7 @ 9:35 am

API security presents several challenges for AppSec teams, including limited visibility of API endpoints, difficulty in automating and scaling tests, and maintaining consistent processes and compliance. As API estates grow with AI, keeping track of exposed endpoints becomes harder, emphasizing the need for automation tools.

Additionally, knowledge gaps in teams and limitations in current testing tools hinder effective API security. Addressing these gaps with automated testing, enhanced tools, and training can significantly improve outcomes.

Resource and time constraints make it challenging to thoroughly test APIs. Automating tests helps reduce this burden and free up resources for deeper security measures.

API security challenges are broken down into six core areas. These include the complexity of gaining visibility into API endpoints, the difficulty in automating and scaling security tests, and ensuring consistency in processes and compliance. Other concerns involve knowledge gaps among security teams and the inadequacy of current tools for effective API testing. Finally, limited resources and time constraints make comprehensive API security testing difficult, underscoring the importance of automation to alleviate these challenges and enhance protection.

For more information, you can visit the full blog from PortSwigger here

API Security for White Hat Hackers: Uncover offensive defense strategies and get up to speed with secure API implementation

API Security in Action

Could APIs be the undoing of AI?

DISC InfoSec previous posts on API Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: API Security

Jan 18 2024

How Do You Protect Your APIs From DDoS Attacks?

Category: API security,Information Securitydisc7 @ 8:22 am
How Do You Protect Your APIs From DDoS Attacks?

Today, DDoS attacks stand out as the most widespread cyber threat, extending their impact to APIs. 

When successfully executed, these attacks can cripple a system, presenting a more severe consequence than DDoS incidents targeting web applications. 

The increased risk amplifies the potential for reputational damage to the company associated with the affected APIs.

How Does DDoS Affect Your APIs?

A DDoS attack on an API involves overwhelming the targeted API with a flood of traffic from multiple sources, disrupting its normal functioning and causing it to become unavailable to legitimate users.

This attack can be particularly damaging as APIs play a crucial role in enabling communication between different software applications, and disruption can impact the overall functionality of interconnected systems.

The impact of DDoS attacks is particularly severe for businesses and organizations that depend on their APIs to deliver essential services to customers. These attacks, employing methods such as UDP floods, SYN floods, HTTP floods, and others, pose a significant threat.

Typically orchestrated through botnets—networks of compromised devices under the control of a single attacker—DDoS attacks can cripple a target’s functionality.

DDoS attacks on APIs focus on the server and each part of your API service. But how do attackers manage to exploit DDoS attacks on APIs?

This Webinar on API attack simulation shows an example of a DDoS attack on APIs and how WAAP can protect the API endpoints. 

Several factors can make APIs vulnerable to DDoS attacks:

Absence or insufficient Rate-Limiting: If an API lacks robust rate-limiting mechanisms, attackers can exploit this weakness by sending a massive volume of requests in a short period, overwhelming the system’s capacity to handle them.

Inadequate Authentication and Authorization: Weak or compromised authentication measures can allow malicious actors to gain unauthorized access to an API. Once inside, they may misuse the API by flooding it with requests, leading to a DDoS scenario.

Insufficient Monitoring and Anomaly Detection: Ineffective monitoring and anomaly detection systems can make identifying abnormal traffic patterns associated with a DDoS attack challenging. Prompt detection is crucial for implementing mitigation measures.

Scalability Issues: APIs that cannot scale dynamically in response to increased traffic may become targets for DDoS attacks. A sudden surge in requests can overload the system if it cannot scale its resources efficiently.

How Do WAAP Solutions Protect Against DDoS Attacks on API?

Web Application and API Protection (WAAP) platform offers in-line blocking capabilities for all layer seven traffic, comprehensively securing web applications and APIs.

To guarantee robust security, WAFs incorporated into WAAP solutions provide immediate defense by filtering, monitoring, detecting, and automatically blocking malicious traffic, thereby preventing its access to the server.

Active monitoring of traffic on an API endpoint enables the identification of abnormal traffic patterns commonly linked to DDoS attacks. Instances of sudden spikes in traffic volume serve as red flags for potential attacks, and a proficient monitoring system can promptly detect and address such increases.

In addition, WAAP enforces rate limits by assessing the number of requests from an IP address. API rate limiting is critical in mitigating DDoS damage and reducing calls, data volume, and types. Setting limits aligned with API capacity and user needs enhances security and improves the user experience. 

To avoid impacting genuine users, find solutions that use behavioral analysis technologies to establish a baseline for rate limiting.

AppTrana WAAP’s DDoS mitigation employs adaptive behavioral analysis for comprehensive defense, detecting and mitigating various DDoS attacks with a layered approach. It distinguishes between “flash crowds” and real DDoS attacks, using real-time behavioral analysis for precise mitigation. This enhances accuracy compared to static rate limit-based systems.

Advanced API Security: OAuth 2.0 and Beyond

API Security in Action

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security

Jan 11 2024

APIs are increasingly becoming attractive targets

Category: API securitydisc7 @ 10:35 am
APIs are increasingly becoming attractive targets

APIs power the digital world—our phones, smartwatches, banking systems and shopping sites all rely on APIs to communicate. They can help ecommerce sites accept payments, enable healthcare systems to securely share patient data, and even give taxis and public transportation access to real-time traffic data.

Nearly every business today now uses them to build and provide better sites, apps and services to consumers. However, if unmanaged or unsecured, APIs present a goldmine for threat actors to exfiltrate potentially sensitive information.

“APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers,” said Matthew Prince, CEO at Cloudflare. “It’s vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses.”

APIs popularity boosts attack volume

The seamless integrations that APIs allow for have driven organizations across industries to increasingly leverage them – some more quickly than others. The IoT, rail, bus and taxi, legal services, multimedia and games, and logistics and supply chain industries saw the highest share of API traffic in 2023.

APIs dominate dynamic Internet traffic around the globe (57%), with each region that Cloudflare protects seeing an increase in usage over the past year. However, the top regions that explosively adopted APIs and witnessed the highest traffic share in 2023 were Africa and Asia.

As with any popular business critical function that houses sensitive data, threat actors attempt to exploit any means necessary to gain access. The rise in popularity of APIs has also caused a rise in attack volume, with HTTP Anomaly, Injection attacks and file inclusion being the top three most commonly used attack types mitigated by Cloudflare.

Shadow APIs provide a defenseless path for threat actors

Organizations struggle to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects with the software program) were discovered through machine learning versus customer-provided identifiers – e.g., organizations lack a full inventory of their APIs.

Regardless if an organization has full visibility of all their APIs, DDoS mitigation solutions can help block potential threats. 33% of all mitigations applied to API threats were blocked by DDoS protections already in place.

“APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “As this new report shows, organizations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”

API Security in Action

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security

Dec 03 2023

OWASP API Security Top 10 2023

Category: API securitydisc7 @ 10:57 am
OWASP-API-security-top-10-2023Download

API Security in Action

If you want to learn more, you can check the link below

Understanding API Security and Implications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP Top 10

Nov 03 2023

OWASP API Security Top 10 2023

Category: API securitydisc7 @ 10:34 am

OWASP API Security Top 10 2023

OWASP-API-top-10Download


If you want to learn more, you can check the link below

Understanding API Security and Implications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP Top 10

Sep 04 2023

Is the new OWASP API Top 10 helpful to defenders?

Category: API securitydisc7 @ 9:50 am
Is the new OWASP API Top 10 helpful to defenders?

The OWASP Foundation’s Top Ten lists have consistently aided defenders in directing their attention towards particular technologies, and the OWASP API (Application Programming Interface) Security Top 10 2023 is no different. Originally formulated five years ago and recently revised, its goal is to tackle evolving attack techniques.

API Security in Action

However, the OWASP API Security Project leaders had their work cut out when deciding how to group and prioritize the threats. The list is put together based upon industry input and must reflect compliance concerns, so it was never going to completely satisfy all people. The question is, does it go far enough to be of value to those in the thick of it when it comes to API development and defense?

What has changed and what has stayed the same?

By comparing the old and the new list, we can see that the top two threats – API1 Broken Object Level Authorization (BOLA) and API2 Broken User Authentication – have remained unchanged. API1 denotes the manipulation of the identification of an object that is sent within a request to the API while API2 marks the abuse of authentication mechanisms through attacks such as credential stuffing, including forgotten/rest password functions. They provide the quickest wins for attackers, and it’s easy to see why these continue to the top the list.

API3 replaced Excessive Data Exposure with Broken Object Property Level Authorization. Does this mean we have solved the problem of sensitive data exposure? Alas, no, it continues to be a huge problem. What this change signifies is the next stage an attacker would take when exploiting sensitive data exposure, i.e., break through the property level authorization. So why has the Project decided to make the change? Probably for the sake of clarity, because sensitive data exposure is an issue that spans the rest of the list. But some, including myself, would argue that this isn’t the right way to present the issue, because it declasses what is a very serious issue.

Similarly, API6 was Mass Assignment in 2019 and is now Unrestricted Access to Sensitive Business Flows. Are they different? Not really. Both are talking about taking advantage of objects and their properties within the application flow, with the examples listed on the project page referring to a ride share app where functionality is exploited in the backend. There is, however, something subtle about the naming that makes the 2023 version seem like something that needs to be fixed, rather than being nebulous and confusing, so in that respect it is an improvement.

Bring bots into the mix

API6 also plays to how an API that isn’t functioning properly can swiftly end up with attack automation being utilized against it in the form of bot attacks. This is important because there’s always been an artificial distinction made between API and bot attacks, with the security sector offering different solutions for each when the reality is that automated attacks can and are launched against APIs. So, it no longer makes sense to monitor for API attacks and bot attacks separately: bot mitigation has to become part of API security. This is apparent in our recent report, which revealed that automated attacks dwarfed other TTPs in the analysis of traffic during the last quarter of 2022.

Overall, the new list largely redefines many of the previous tactics, techniques and procedures (TTPs) in a bid to be more inclusive. API4, for instance, has moved from Lack of Resources and Rate Limiting to become Unrestricted Resource Consumption, reflecting the fact that rate limiting extends beyond the issue of network capacity. Other resources that can be abused if limits are not set include CPU, memory and storage, for example, but just as importantly, service providers can find service resources maxed out by API requests. They may provide emails, texts or phone calls and a repeat API request can see that service provider rack up huge service costs.

However, there are some changes in the order and new concepts in there towards the end. API7 Security Misconfiguration drops a place to API8 as there has been progress made in this area.

API7 is now Server Side Request Forgery (SSRF). APIs are a prime target for SSRF attacks because they routinely channel outbound traffic from an application. Developers often access external resources, such as web hooks, file fetching from URLs or custom SSO and URL previews – states the Project – or cloud or container providers expose management and control channels to compromise via HTTP. And the old API8, Injection attacks? That’s no longer a separately categorized threat again because it’s typically adopted in many of the other attack types.

Significant changes

API9 sees another subtle but important change in the wording: from Improper Assets Management to Improper Inventory Management. This reflects the heightened number of shadow APIs that are out there which once deployed are no longer monitored and effectively fall off the security team’s radar. Unmanaged, unknown and unprotected, these APIs are then sitting ducks for attackers who now actively search for them. In fact, we found that 45 billion search attempts were made for shadow APIs during the second half of 2022, compared to five billion during the first six months. A runtime API inventory that continuously monitors production APIs is therefore vital to ensure all APIs that go live are protected yet it’s one of the key failings in organisations today.

Finally, API10 has changed from Insufficient Logging and Monitoring, now largely covered by API9, to Unsafe Consumption of APIs. This reflects the extension we’ve seen of the API software chain, with APIs now often being integrated with other APIs. The problem that has arisen is that developers tend to inherently trust interactions with these external APIs, particularly from well-known companies, even though they may be flawed and/or be leaking data.

Clearly a great deal of thought has gone into adjusting the OWASP API Top Ten to more accurately address the TTPs that attackers are now using. The result sees both minor and some major changes to the list all of which are justified. Indeed, it’s not the descriptors but the list itself that is problematic. It’s an arbitrary concept that’s designed to attract attention to and heighten the profile of API security but does it do anything to further how we defend against these attacks?

How it holds up under an attack scenario

If we use breach analysis, we can compare a typical breach to the categories in the list to see how the concept stacks up. Many breaches start out with an API that the victim organization was unaware they had ( API9 in the 2023 list). This API is then found to return some kind of data about a user that isn’t the attacker (API1). Now the attacker is going to create attack automation using a bot to try to exploit this as quickly and as completely as possible (API6), completing the attack chain and giving the attacker access to data hidden in the victim organization’s systems.

It’s evident that such an attack would cross at least three of the attack categories so prioritizing them becomes immaterial. Indeed, such trinity attacks are gaining ground, with 100 million detected during the first half of 2022.

What’s more, as well as seeing attackers pivot during an attack and utilize known TTPs, we are also seeing them come up with unique TTPs to attempt to subvert the API. These grew more than fivefold between June and November (from 2,000 to 11,000). Most of those attacks were geared towards achieving account takeover (ATO), scraping to perform reconnaissance or to exfiltrate data, and hunting for business logic flaws within the API to commit fraud.

Keeping up with such diverse attacks requires the security team to focus not just on its defense but methods of detection and mitigation. Whether it is knowing where APIs are, testing them for flaws or stopping bots attacking unknown flows, API security needs to become more comprehensive, tracking and protecting the API throughout its entire lifecycle.

A sound summary of TTPs

The new OWASP API Top 10 may not be perfect, but it does cover the bases and provides a great starting point from which to address the topic. It now recognizes that some attack methods such as sensitive data and exposure and injection attacks span multiple TTPs and so do not require a separate category. It also amplifies the need for bot mitigation as part of API security, and the complex nature of API ecosystems that are seeing them integrated with one another, for instance.

But its structure is not conducive to showing how these attacks are being used in the wild. It still compartmentalizes these attacks when threat actors are becoming much more versatile and combining them.

Realistically, the only way of keeping pace with this rapidly evolving threat landscape is to monitor and manage those APIs. Creating a runtime inventory, conducting API threat surface assessments, carrying out specification anomaly detection and putting in place real-time automated bot detection and mitigation are all now essential to protect the API footprint of the business.

API Security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP API

Jan 25 2023

Top FinTech API Security Challenges

Category: API securityDISC @ 10:52 am
Top FinTech API Security Challenges

A recent report reveals that the number of attacks on financial service APIs and web applications worldwide increased by 257%.  

There are more APIs in use than ever, and the average FinTech company takes advantage of hundreds if not thousands of connections in their daily operations.

APIs have become a critical component of fintech but also open new vulnerabilities. 48% of financial service company states that API security remains the top concern of their API utilization.

So, what are the top FinTech API security challenges?

API Security Challenges

Impacts Of API Attacks on Fintech

API attacks on fintech companies can severely affect the financial industry and the customers who rely on these services. These attacks are becoming increasingly frequent as fintech companies grow in popularity and usage. 

API attacks can have serious consequences, including financial loss and damage to a company’s reputation. These attacks can steal sensitive information like login credentials or financial data. This data can be used for identity theft, financial fraud, and other criminal activities, causing significant financial losses for the affected customers. 

They can also be used to disrupt services or conduct fraudulent transactions. Additionally, service disruptions can lead to lost business, damage to reputation, and loss of customer trust.

API attacks can also have a ripple effect throughout the financial industry. If a major fintech company is compromised, it can cause mistrust and uncertainty among other financial institutions. This can lead to increased scrutiny and regulations for the entire industry.

Fintech companies must take proactive measures to secure their APIs and protect their customers’ data. This includes implementing robust authentication and authorization mechanisms, encryption for sensitive data, and regularly testing and updating security measures.

Additionally, having an incident response plan to address and mitigate potential breaches quickly is crucial in preserving customer trust and minimizing damage to the company’s reputation.

OWASP Top 10 API Security Risks

OWASP API Top 10 isn’t necessarily FinTech-specific. But with API usage exploding in every industry, it’s worth taking some time to understand the risks they’ve identified. After all, many modern companies would not exist without APIs.

  • Broken object-level authorization
  • Broken user authentication
  • Excessive data exposure
  • Lack of resources to rate limiting
  • Broken function-level authorization
  • Mass assignment
  • Security misconfiguration
  • Injection
  • Improper assets management
  • Insufficient logging and monitoring

What are the Challenges of Protecting APIs?

Explosive increase in API utilization

There has been a significant increase in the use of APIs in fintech in recent years. APIs allow fintech companies to easily integrate with other systems and services, such as banking platforms, payment processors, and data providers. This enables fintech companies to build new products and services quickly and easily and offer their customers a more comprehensive range of features. 

As many APIs are integrated into third-party systems, it can be challenging to monitor for potential vulnerabilities.

Connections Create New Vulnerabilities & Risks

Most applications are made up of multiple services connected through APIs. This interconnectivity can inadvertently create new risks and vulnerabilities.

As interconnected services increase, the complexity of securing API connections also increases. Each connection represents a potential vulnerability that malicious actors could exploit. Additionally, as more services are connected, the attack surface for potential vulnerabilities also increases. 

Data Exposure

FinTech companies handle sensitive financial information, making them prime targets for cyber attacks.

Tracking and monitoring for potential security threats can make it more difficult as more data is exposed through APIs. It can be difficult to track exactly,

  • What needs to be protected and how?
  • Where are APIs exposing data?
  • Is the exposure necessary?

The larger the amount of data and the more diverse the sources, the harder it can be to identify and respond to security incidents. 

Furthermore, the increased use of cloud and third-party services can complicate tracking, as it can be challenging to determine where data is being stored and how it is being used.

Data exposure can also be a moving target based on API updates. For maximum security, you must always remain mindful of changes.

Rapid Development

An API in FinTech is perfect for rapid innovation and development. New updates, features, and functionality can be rolled out quickly and smoothly.

APIs are constantly changing. And because of that, app developers need to roll out multiple updates yearly.

This creates a challenge for the security team because they need to be able to keep pace with changes and know what security structures need to include.

Developers Can’t Catch Everything

It’s difficult, if not impossible, to catch all possible vulnerabilities before deployment. Despite the care taken during the development process, it’s unrealistic to think that developers would be aware of everything that could go wrong.

Developers also need to move quickly. Because there are always new features to add and innovations to make, security can be an afterthought for better or worse.

Traditional Security Isn’t Enough

Most FinTech companies have sophisticated runtime security stacks already. These feature multiple layers of security tools. But these solutions simply aren’t enough when it comes to API vulnerabilities.

Traditional approaches to FinTech API security, such as basic authentication, do not provide adequate protection. Because they rely on static, easily compromised credentials and do not consider the dynamic nature of API usage.

Traditional approaches often rely on static rules and signatures, which can be easily bypassed by attackers who know how to evade them.

Additionally, these approaches do not provide visibility into API activity, making detecting and responding to threats difficult.

For API security, it is necessary to use more modern security techniques specifically designed for this purpose.

Lack of skills

Appdome says lack of skills was one of the top two challenges in an organization’s API strategy. Many organizations do not specialize in app security. And there are many factors to consider: development framework, OS, security features, and more.

API security should be a top priority for fintech. They could be turbulent if you don’t know how to navigate the waters ahead. Your best bet is to find a partner to assist you in setting up the necessary security infrastructures. The peace of mind with it will be well worth the investment.

API Protection with AppTrana

AppTrana API protection is a comprehensive security solution that provides advanced protection for your APIs.

One of its key features is API discovery, which allows you to automatically identify all the APIs within your organization and track their usage. This helps you to understand how your APIs are being used and identify any potential security risks.

Another important feature of AppTrana is its positive security model, which allows only known and trusted traffic to access your APIs. 

AppTrana also includes rate limiting, a technique used to control the number of requests that can be made to an API within a certain period. This helps prevent malicious actors from overwhelming your APIs with many requests, which can cause them to become unresponsive or crash.

In addition to these features, AppTrana provides real-time monitoring and reporting, so you can quickly identify and respond to any security incidents. This includes detailed logs of all API activity and alerts for suspicious activity, such as excessive rate limiting or bot fingerprinting.

Checkout our previous posts on API Security

InfoSec books | InfoSec tools | InfoSec services

Tags: API Security, Fintech

Nov 19 2022

7 API Security Statistics you should know

Category: API securityDISC @ 12:55 pm

APIs are a powerful tool for organizations to build innovative products and services. Research has shown that over 90% of developers use APIs and 56% have reported that APIs help them to develop better products. However, this increase in demand means there is also an increase in risk.

API security is not a new problem. It’s something that organizations have been trying to tackle for years. But as cloud computing becomes ubiquitous, we are seeing an explosion in demand for secure APIs that provide reliable access to information from different sources over different networks (and even in real time). This means that there are many more potential points of entry for malicious actors looking to exploit vulnerabilities in your infrastructure or steal sensitive data through unconventional methods.

This article highlights and expands on 7 API security related statistics you should be aware of: 41% of organizations suffered API security incidents in the past year

91% of IT professionals believe API security should be considered a priority – This report shows that 91% of IT experts believe that API security should be prioritized especially because over 70% of corporate firms are expected to employ more than 50 APIs. 8 out of 10 IT administrators desire more authority over the APIs used by their company


Attribution link: https://latesthackingnews.com/2022/11/18/7-api-security-statistics-you-should-know/

API Security in Action

Tags: API Security, API Security in Action

Aug 16 2022

API Security: A Complete Guide

Category: API securityDISC @ 7:58 am

Our society has become increasingly dependent on technology in the past few decades, and the global pandemic accelerated this trend.

API Security: A Complete Guide

What is API Security?

APIs are prevalent in SaaS models and modern applications across the board. API security refers to best practices applied to aspects of these APIs to ensure they’re protected from cybercriminals.

Web API security includes access control and privacy, as well as the detection of attacks via reverse engineering and exploitation of vulnerabilities. Since APIs enable the easy development of client-side applications, security measures are applied to applications aimed at employees, consumers, partners and others via mobile or web apps.

Why API Security Should Be a Top Priority

Attacking APIs requires first learning about a company’s APIs. To do so, bad actors perform extensive, drawn-out reconnaissance. That activity flies under the radar of existing technology such as API gateways and web application firewalls (WAFs). APIs make a very lucrative target for bad actors since they are a pipeline to valuable data and they’re poorly defended. Since data is the lifeblood of an organization, protecting it – and end-users – is paramount to avoiding breaches and the financial and reputational harm that comes with them.

In 2017, Gartner predicted API attacks would be the greatest threat to organizations in 2022. The year has arrived, and this foresight has proved accurate. Cyberattacks on APIs have exposed vulnerabilities and cost businesses a lot of time, money and heartache to recover from these breaches.

Major organizations like Peloton and LinkedIn have recently fallen victim to API-driven attacks, proving that even enterprise-class businesses (with enterprise-class budgets) are no match for cybercriminals. API attacks grew an astounding 681% in 2021, showing that businesses cannot afford to be complacent about this threat.

API Security Checklist for Development and Implementation

As with any security objective, it’s crucial to implement best practices and ensure you close all gaps in your API security strategy. While it can be overwhelming, an organized approach will help break your plan into manageable pieces. Start with scope and prioritization:

  • Perform penetration tests for your APIs, and know that to get a clear picture of the security status, you’ll need runtime protection
  • Assess the entirety of your environments, including your digital supply chain and APIs that fall outside of your API management suite
  • If you need to start small, prioritize runtime protection to protect from attackers while your application and API teams delve further into the comprehensive security strategy

Design and Development

Building a robust API security strategy is crucial, but that doesn’t mean you need to start from scratch. Great supportive resources, including the OWASP Application Security Verification Standard (ASVS), are available to help you design your approach.

Ensure you draft your organization’s build and integration security requirements, include business logic when performing design reviews and implement practices for coding and configuration relevant to your security stack.

Documentation

Ensure that you keep comprehensive documentation for application and integration teams. Documentation should cover security testing, design reviews, operations and protection. By documenting the stages of your process, you will ensure continuity in your testing and protection approaches.

Discovery and Cataloging

Ideally, your documentation process will be thorough and consistent. In reality, however, sometimes things are missed. Therefore, organizations must implement automated discovery of API endpoints, data types and parameters. You will benefit from this approach to create an API inventory to serve IT needs throughout your organization.

Ensure you use automation to detect and track APIs across all environments, not limiting the focus to production. Be sure to include third-party APIs and dependencies. Tag and label your microservices and APIs—this is a DevOps best practice.

Security Testing

Traditional security testing tools will help verify elements of your APIs, including vulnerabilities and misconfigurations. Bear in mind that while helpful, these tools do have their limitations. They cannot fully parse business logic, leaving organizations vulnerable to API abuse. Use tools to supplement your security strategy, and do not rely on them as a be-all-end-all view of the state of your APIs.

Security at the Front-End

For a multi-layered approach, ensure you implement a front-end security strategy for your API clients that depend on back-end APIs. Client-side behavior analytics can embellish privacy concerns while protecting the front end. It is recommended to draft security requirements for your front-end code and to store minimal data client-side to reduce the risk of reverse engineering attacks. Ensure you have secured your back-end APIs as well, as this is not an either/or approach.

Network and Data Security

In a zero-trust architecture framework, network access is dynamically restricted. It is still possible for API attacks to occur due to the connectivity required for API functionality, meaning trusted channels can still create security threats. Ensure your data is encrypted during API transport, and use API allow and deny lists if your user list is short.

Many organizations are unclear on which APIs transmit sensitive data, exposing them to the risk of regulatory penalties and large-scale data security breaches. For data security, transport encryption is suitable in most use cases.

Authentication, Authorization, and Runtime Protection

Accounting for authentication and authorization for both users and machines is crucial to a comprehensive API security approach. Avoid using API keys as a primary means of authentication, and continuously authorize and authenticate users for a higher level of security. Modern authentication tools such as 0Auth2 will increase security fortitude.

Organizations should deploy runtime protection. Make sure your runtime protection can identify configuration issues in API infrastructure. It should also detect behavior anomalies such as credential stuffing, brute forcing, or scraping attempts. DoS and DDoS attacks are on the rise, and you should be sure that mitigation plays a role in your API security strategy.

API Security is Fundamental in Today’s World

The use of APIs is a fundamental element of life in the modern era. As such, organizations have a responsibility to ensure end users, networks and data are kept safe from intruders who may expose API vulnerabilities. By following these key aspects of API security, you will be able to successfully mitigate risk.

API Security in Action

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. 

API Security in Action

Tags: API Security

Jul 30 2022

Why And How CISOs Are Making API Security A Top Priority

Category: API securityDISC @ 10:45 am
藍色網絡上的鎖

A CISO’s mandate is to empower the business to move forward on key growth initiatives and simultaneously reduce risk. To this end, they must continuously evaluate and weigh the security ramifications of many strategic initiatives, ultimately weighing the potential impact on a company’s:

• Speed to market.

• Competitive advantage.

• Brand reputation.

By focusing on how their security infrastructure helps or hinders delivery on those three fronts, CISOs help drive business success. In today’s landscape, one new area has emerged that is integrally connected to all three of those company dynamics: the use of APIs to fuel innovation.

APIs are eating the world.

APIs are essential for companies to support their innovative and revenue-generating digital transformation initiatives. Open banking services, mobile and online services, digital information sharing apps, brands like DoorDash, Uber, PayPal, Spotify, Netflix, Tesla—you name it—all require APIs to function.

Companies are developing and pushing out APIs faster, and in larger quantities, than ever before. APIs allow companies to build and bring advanced services to market, opening up new avenues of business and revenue streams. Digitalization hastened this trend, and Covid accelerated its implementation. Companies had to quickly deploy remote services for workers and customers and build product integrations to support myriad devices—all of which demanded APIs. It’s no wonder that the public API hub Postman hit a record 20 million users earlier this year.

However, because APIs share highly sensitive data with customers, partners and employees, they have also become a very attractive target for attackers. CISOs have recognized the risk.

According to a new study released by AimPoint Group, W2 Communications and CISOs Connect, titled The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond, CISOs identified the following as their top IT components needing security improvement.

• APIs: 42%

• Cloud applications (SaaS): 41%

• Cloud infrastructure (IaaS): 38%

APIs drive speed to market.

The faster a business can bring new services to market, the faster the benefits. For some companies (under Covid), speed to market meant the difference between keeping the business up and running versus shutting down operations. API usage ensured that organizations were open for business.

Businesses must always assess the value and the costs in terms of both achieving or losing the speed-to-market race. They must consider the obstacles that could prevent speed to market. In the case of APIs, security threats pose an enormous obstacle. They can slow down rollouts or, even worse, make them untenable.

By protecting APIs from exploitation, companies ensure their ability to drive speed to market, growth opportunities and competitive advantage.

APIs deliver a competitive advantage.

Speed to market is an important underlying factor that contributes to an organization’s competitive advantage. As an industry front runner, businesses have an opportunity to gain the lion’s share of a market and its profits.

In financial services, competitive advantage is a critical business objective, and technology transformation is its core strategic component. Fintech companies have fueled customer expectations, and open banking is right behind them, offering unimaginable innovation and conveniences by easily linking mobile apps to banking accounts.

Banking and financial institutions must stay on the cutting edge of these services to compete and stay relevant. APIs power these capabilities and allow institutions to leapfrog ahead of the competition.

However, security threats and lack of regulatory adherence can compromise successful API implementation and result in costly fines. Businesses must ensure safe passage between the emerging applications and customers’ valuable financial data. APIs represent the access point to PII and other important data assets that attackers target for their own gain and to the detriment of the business.

Dedicated API security is the cost of doing business.

The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs. APIs support the interconnectivity of a company’s crown jewels—the essential and sensitive data that businesses require to deliver their digital goods and services.

Every company that is developing software has become an API-driven company. For API-driven companies, protecting those APIs is no longer a question—it’s simply the cost of doing business in a digitally transformed landscape. Without dedicated API security to protect these crucial connectivity tools, companies put everything at risk—speed to market, competitive advantage and the brand itself.

Last but not least, CISOs must build a collaborative approach to API security. APIs touch all areas of the business. CISOs need to take an active role in educating teams about their API security initiatives and their importance in reducing the company’s risks. CISOs must provide the answers and insights that empower others to help meet security goals.

CISO after CISO will tell you that creating a strong, cross-functional “security-aware” culture continues to be their number one priority. To generate this security mindset, leaders must prioritize relationships, acknowledge everyone’s contribution to security and continuously communicate the vital importance of security to achieve overall business objectives.

https://www.forbes.com/sites/forbestechcouncil/2022/07/29/why-and-how-cisos-are-making-api-security-a-top-priority/

API Security in Action

Tags: API Security

Jun 13 2022

API security warrants its own specific solution

Category: API securityDISC @ 9:01 am
API security warrants its own specific solution

The OWASP Foundation recognizes this fact via the API Security Top 10 list of vulnerabilities and security risks. When we look at the list, there are six common methods of execution. Three of the issues occur due to weak access control and three to business logic abuse, with the remainder existing due to insufficient traffic management, application vulnerabilities, lack of visibility and lack of operational security readiness.

These issues are unique to APIs and make them particularly challenging to secure, so let’s look at each in detail.

1. Broken object level authorisation (BOLA)

Formerly known as Insecure Direct Object References (IDOR), BOLA allows the attacker to perform an unauthorized action by reusing an access token. This method has been widely used to attack IoT devices, for instance, as it can be used to allow the attacker to access other user accounts, change settings and generally wreak havoc much to the embarrassment of the IoT vendor.

The attack relies on the API’s resource IDs or objects not having sufficient validation measures in place. In some cases, the data used by the API has no user validation and is accessible to the public, while in other cases error messages return too much information, providing the attacker with more information on how to abuse the API.

Defending against BOLA attacks requires the validation of all user privileges for all functions across the API. API authorization should be well defined in the API specification and random/unpredictable IDs. It’s also important to test these validation methods on a routine basis.

2. Broken user authentication

An attacker can impersonate a genuine user if there are flaws with user authentication. Mechanisms such as log-in, registration, and password reset can be bombarded with automated attacks and, if poorly secured, will allow weak passwords, return error messages to the user with too much information, lack token validation or have weak or non-existent encryption.

Preventing these abuses requires security to be prioritized during development. All the authentication mechanisms mentioned above need to be identified and multi-factor authentication (MFA) needs to be applied. The development team should also look to implement volumetric and account lockout protection mechanisms to prevent brute force attacks.

3. Excessive data exposure

Some published APIs expose more data than is necessary as they rely on the client app rather than back-end systems to filter. Attackers can use this information to carry out enumeration attacks and build up an understanding of what works and what doesn’t, allowing them to create a “cookbook” for stealing data or for orchestrating a large attack at a later stage.

Limiting data exposure requires the business to understand and tailor the API to user needs. The aim is to provide the minimum amount of data needed, so the API needs to be highly selective in the properties it chooses to return. Sensitive or personally identifiable information (PII) should be classified on backend systems and the API should never rely on client-side filtering.

4. Lack of resources and rate limiting

If the API doesn’t apply sufficient internal rate limiting on parameters such as response timeouts, memory, payload size, number of processes, records and requests, attackers can send multiple API requests creating a denial of service (DoS) attack. This then overwhelms back-end systems, crashing the application or driving resource costs up.

Prevention requires API resource consumption limits to be set. This means setting thresholds for the number of API calls and client notifications such as resets and lockouts. Server-side, validate the size of the response in terms of the number of records and resource consumption tolerances. Finally, define and enforce the maximum size of data the API will support on all incoming parameters and payloads using metrics such as the length of strings and number of array elements.

5. Broken function level authorization

Effectively a different spin on BOLA, this sees the attacker able to send requests to functions that they are not permitted to access. It’s effectively an escalation of privilege because access permissions are not enforced or segregated, enabling the attacker to impersonate admin, helpdesk, or a superuser and to carry out commands or access sensitive functions, paving the way for data exfiltration.

Stopping this level-hopping activity requires authentication workflow to be documented and role-based access to be enforced. This requires a strong access control mechanism that flows from “parent to child” and doesn’t permit the reverse.

6. Mass assignment

The attacker discovers modifiable parameters and server-side variables that they then exploit by creating new users with elevated privileges or by modifying existing user profiles. This can be prevented by limiting or avoiding the use of functions that bind inputs to objects or code variables. The API schema should include input data payloads and enforce segregation by whitelisting client-updatable properties and blacklisting those that should be restricted.

7. Misconfiguration

Incomplete, ad-hoc or insecure default configurations, misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and verbose error messages containing sensitive information are, unfortunately, all too common in APIs. They’re usually the result of human error, due to a lack of application hardening, poor patching practices or improper encryption and, when discovered by an attacker, can be exploited, leading to fraud and data loss.

Configuration is all about putting in place the right steps during the API lifecycle, so it is advised to implement a repeatable hardening process, a configuration review and update process, and regular assessments of the effectiveness of the settings. Defining and enforcing responses (including those for errors) can also stop information getting back to the attacker. CORS policies should also be put in place to protect browser-based deployments.

8. Injection

A staple of the OWASP Web Application top 10 list, injection attacks see the untrusted injection of code into API requests to execute commands or to gain unauthorized access to data. These attacks can happen when the database or application lacks filtering or validation of client or machine data, allowing the attacker to steal data or inject malware by sending queries and commands direct to the database or application.

The mitigation of injection attacks requires separation between data/commands and queries. Data types and parameter patterns should be identified, and the number of records returned should be limited. All the data from clients and external integrated systems should be validated, tested, and filtered.

9. Improper asset management

Poorly secured APIs such as shadow, deprecated, or end-of-life APIs are highly susceptible to attack. Other threat vectors include pre-production APIs that may have been inadvertently exposed to the public, or a lack of API documentation that has led to an exposed flaw, such as authentication, errors, redirects, rate limiting, etc.

Here it’s critical to look at the API publication process by replacing or updating risk analyses as new APIs are released. Continuous monitoring of the entire API environment, from dev to test, stage and production, including services and data flow is also advised. Adopting an OpenAPI specification can help simplify the process.

10. Insufficient logging and monitoring

Attackers can evade detection entirely if API activity isn’t logged and monitored. Examples of insufficient logging and monitoring include misconfigured API logging levels, messages lacking detail, log integrity not being guaranteed, and APIs being published outside of existing logging and monitoring infrastructure.

Logging and monitoring need to capture enough detail to uncover malicious activity, so it should report on failed authentication attempts, denied access, and input validation errors. A log format should be used that is compatible with standard security tools and API log data should be treated as sensitive whether in transit or at rest.

Unique challenges

All ten attack methods reveal how difficult it can be to secure APIs, which are continuously being spun-up, updated or replaced, sometimes daily. In fact, they’re so numerous that their security can only be enforced using automation. Consequently, many organizations have tried to use rules-based security solutions and code-scanning tools, although these are not equipped to spot the types of abuses identified in the OWASP list. Web application firewalls (WAFs), for instance, offer limited protection because they look for known threats, while an API gateway can create more problems by acting as a single point of failure.

It’s for these reasons that Gartner recently created a distinct API security category, separate from these other tools, in acknowledgement of the fact that APIs have their own set of problems (that are also often unique to the business itself).

In the “Advance your Platform-as-a-Service Security” report, analyst Richard Bartley reveals API security tooling for API discovery and protection should be regarded as having equal importance to and sit between internet edge security (i.e., WAF) and the data plane security layers (i.e., the Cloud Workload Protection Platform or CWPP). This new breed of API security is therefore cloud-native and behavior-based, allowing it to spot and respond to API-specific anomalous activity.

These new tools specifically focus on the prevention of automated attacks against public-facing applications and the persistence of API coding errors. They use machine learning to analyze APIs and web applications coupled with behavioral analysis to determine whether the intent behind API interaction is malicious or benign. They can also act by blocking, rate limiting, geo-fencing and even deceiving attackers, thereby buying time to respond. Such capabilities mean that API-specific security solutions can be applied to aid the developer and to monitor the security of the API throughout its entire lifecycle, thereby preventing the automated attacks and vulnerability exploits identified in the OWASP API Security Top 10.

With APIs continuing to outstrip web apps in the rollout of new services, we must attend to how these are secured or risk building these services on shaky foundations. The hope is that with the OWASP Project highlighting how APIs can be exploited and Gartner creating a distinct new category, the tech sector will finally realize that API security is an anomaly that merits its own solution.

Terminal

API Security in Action

Tags: API Security, API security risks

Sep 17 2021

IBM Report Shows Severity of Cloud Security Challenges

Category: Cloud computingDISC @ 9:22 am
IBM Report Shows Severity of Cloud Security Challenges

IBM Security Services today published a report detailing a raft of issues pertaining to cloud security, including the fact that there are nearly 30,000 cloud accounts potentially for sale on dark web marketplaces.

The report is based on dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research.

The report found advertisements for tens of thousands of cloud accounts and resources for sale. Prices generally range from a few dollars to over $15,000 per account for access credentials depending on the amount of cloud resources that might be made accessible. On average, the price tag for cloud access rose an extra $1 for every $15 to $30 in credit the account held. Therefore, an account with $5,000 in available credit would be worth about $250, the report surmised.

In 71% of cases, threat actors offered access to cloud resources via the remote desktop protocol (RDP). X-Force Red found that 100% of their penetration tests into cloud environments in 2021 uncovered issues with either passwords or policy violations. Two-thirds of cloud breaches would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems, the report noted.

More troubling still, IBM research indicates that vulnerabilities in cloud applications are growing, totaling more than 2,500 vulnerabilities for a 150% increase in the last five years. Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months.

The report also notes two-thirds of the incidents analyzed involved improperly configured application programming interfaces (APIs), mainly involving misconfigured API keys that allowed improper access. API credential exposure through public code repositories frequently resulted in access into cloud environments as well, the report noted.

API Security in Action

Tags: API Security, cloud security

Aug 18 2021

Adopting Zero-Trust for API Security

Category: Access Control,App Security,Zero trustDISC @ 11:56 am
Adopting Zero-Trust for API Security

Why Use Zero-Trust for API Security

Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside  of the organization.

“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”

However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.

But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.

“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”

Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.

Integrating Zero-Trust in APIs

API Security in Action

Tags: API Security