EBook: API Security

The API
Security eBook
Introduction
Introduction
The Numbers Behind
Automated Threats to APIs APIs are the quintessential double-edged sword. They are the API Security
cement that interconnects systems and applications, but they add À “By 2023, API abuses will move
Four Assumptions that Prevent security vulnerabilities and complicate protection strategies and from infrequent to the most
Effective API Protection application development. frequent attack vector, resulting
in data breaches for enterprise
API development and usage has increased astronomically in recent web applications.”
Key Capabilities for Comprehensive
Application and API Security years, fueled by digital transformation and the central role APIs play in À Unmanaged and unsecure APIs
create vulnerabilities that can
both mobile apps and IoT. According to recent market research, API accelerate multimillion-dollar
API Security Checklist attack traffic has tripled in growth compared to overall API traffic. security incidents.
As a result, securing APIs and safeguarding them from data theft, manipulation, À By 2025, more than 50% of
About Radware DDoS attacks and more has never been more critical. This requires data theft will be due to
ensuring APIs are protected against all threat vectors, but more importantly, unsecure APIs.
understanding the role that various security solutions play in securing APIs and
why API protection must now be part of a holistic application security strategy. Source: “Predicts 2022: APIs Demand Improved
Security and Management,” Gartner Research,
No matter how many APIs your organization chooses to share publicly, your December 6, 2021.
ultimate goal should be to establish a comprehensive API and application
security strategy that proactively manages API security over time.

This e-book provides an overview of the scale of problem, common

misconceptions that exist about API security, the threat landscape targeting
them and best practices and capabilities to secure them.

Prev Next Radware | API Security eBook 2

Introduction

Automated Threats to APIs

Automated Threats to APIs
Bots and automated threats present some of the gravest risks to APIs, and despite their rapid
and widespread deployment, APIs remain vulnerable to automated threats. Personally
Four Assumptions that Prevent
Effective API Protection identifiable information, payment details and business-critical services are all vulnerable to
bot-based cyberattacks. Here are six bot-based attack vectors that present a big threat to APIs.
Key Capabilities for Comprehensive
Application and API Security
API Abuse
Attackers reverse engineer mobile and web applications to hijack API calls and program bots to invade your
API Security Checklist business APIs. They target APIs to take over accounts, scrape business-critical data and perform application
distributed denial of service (DDoS) attacks. Bots deluge the API server with unwanted requests. It’s essential
to accurately distinguish between good API calls and bad API calls for online businesses.
About Radware
Vulnerabilities in APIs are abused by cybercriminals and nefarious parties to steal personally identifiable
information (PII) and business-critical data, carry out account takeover attacks and systematically execute
website content scraping campaigns. Types of bot-executed API abuse attacks include application DDoS,
account takeover and web scraping (see below).

Account Takeover
Account takeover (ATO) is a form of identity theft where a fraudster illegally uses bots to get access to a victim’s
bank, e-commerce site or other types of accounts. A successful ATO attack leads to fraudulent transactions and
unauthorized shopping from the victim’s compromised account. Fraudsters use two primary methods to hijack
accounts: credential stuffing and credential cracking.

Prev Next Radware | API Security eBook 3

Introduction
Application DDoS
APIs can be attacked by hackers and cybercriminals who intentionally Symptoms of Bot
Automated Threats to APIs overload APIs with large volumes of bot traffic from multiple devices and IP Attacks on APIs
addresses. For enterprises, business-critical services are thus put at risk,
À Single HTTP request (from a
such as login services, session management and other services that enable
Four Assumptions that Prevent unique browser, session or a
Effective API Protection
application uptime and availability for users. device
Attackers who carry out DDoS campaigns often use asymmetrical techniques À An increase in the rate of errors
Key Capabilities for Comprehensive through which they send small volumes of data to generate API calls, which (HTTP status code 404, data
Application and API Security usually result in servers being heavily overloaded because they have to validation failures, authorization
answer such API calls with much larger volumes of data. Such attacks failures and more)
seriously tie up system resources and greatly increase server response times
API Security Checklist
for all users of the system. À Extremely high application
usage from a single IP address
or API token
About Radware Credential Cracking or Brute Force À A sudden uptick in API usage
Also known as “brute forcing,” credential cracking is a way to identify valid from large, distributed IP
credentials by trying different values for usernames and passwords (usually addresses
from lists of breached account credentials that were made public by malicious
À A high ratio of GET/POST to
parties and hackers). Hackers deploy bots to hack into customers’ accounts
HEAD requests for a user,
using the brute force approach, dictionary attacks (inputting large numbers session, IP address or API token
of words) and guessing attacks to identify valid login credentials. Brute force compared to legitimate users
attack symptoms include a sudden increase in failed login attempts and high
numbers of account hijacking complaints from customers.

Prev Next Radware | API Security eBook 4

Introduction
Credential Stuffing
Credential stuffing exploits users’ propensity to use the same username and password on multiple websites.
Automated Threats to APIs Hackers use bots to test lists of credentials obtained as a result of data dumps of breached credentials
(or purchased from the dark web) against a range of websites in the hope that a victim has used the same
combination of credentials on multiple sites. Unlike credential cracking, credential stuffing doesn’t involve
Four Assumptions that Prevent
Effective API Protection
brute force or guessing of any values; instead, mass login attempts are used to verify the stolen username
and password pairs. Credential stuffing symptoms include consecutive login attempts with different
credentials from the same HTTP client.
Key Capabilities for Comprehensive
Application and API Security
Web Scraping
API Security Checklist Competitors, fraudsters and “fly-by-night” operators who set up websites to defraud consumers often
plagiarize an entire website’s content by carrying out systematic scraping campaigns using bots to extract
data from APIs. Hackers also try to reverse engineer web and mobile applications to hijack API calls and
About Radware carry out scraping attacks.

Prev Next Radware | API Security eBook 5

Introduction

Four Assumptions that Prevent

Automated Threats to APIs
Effective API Protection
Four Assumptions that Prevent Assumption 1: A WAF Protects Applications and APIs
Effective API Protection
While this assumption is partially true, APIs are exposed to certain threat vectors that many WAFs can’t
mitigate. Most WAFs are designed to protect web application vulnerabilities. APIs require specific analysis,
Key Capabilities for Comprehensive such as the ability to parse their content and compare it against the API’s specific schema. Most WAFs do
Application and API Security
not have these capabilities.

Additionally, most WAF solutions only leverage negative security models, thereby limiting their protection
API Security Checklist
against zero-day attacks. The OWASP API Security – Top 10 includes numerous attack vectors that negative
security models do not mitigate. Rather, these attack vectors must be stopped using a positive security model
and behavioral analysis that identifies whether an API call is malicious or not.
About Radware
Finally, malicious bots and other automated threats present one of the gravest threats to APIs. It’s critical to
have advanced bot management capabilities to distinguish between legitimate and malicious bots to stop
account take over attacks, data scraping and application DoS attacks. WAFs do not provide these sorts of
advanced capabilities.

Assumption 2: An API Gateway Manages and Protects APIs

API gateways manage the lifecycle of APIs (including protocol translation, routing, API versioning and more).

They also provide important security functionality, such as application and user authentication, access
control (ACL or JWT), encryption tunnels, rate limiting and others. Some API gateways incorporate a basic
signature protection engine as well.

Prev Next Radware | API Security eBook 6

Introduction While these functionalities are crucial to protecting APIs, they are not enough to provide comprehensive
protection. There is no API gateway that currently provides bot protection capabilities, behavioral analysis and
application DoS protection or leverages a positive security model.
Automated Threats to APIs

Four Assumptions that Prevent Read Why API Gateways Are Not Enough to
Secure APIs to Learn More
Effective API Protection

Key Capabilities for Comprehensive

Application and API Security

Additionally, while API calls are centralized to pass through API gateways, this only applies to documented APIs.
API Security Checklist
API gateways don’t provide auto discovery capabilities, thereby leaving undocumented APIs unprotected.

Assumption 3: If APIs Are Well Documented, That Provides Effective Protection

About Radware
Effective API protection requires an understanding of the API structure, possible parameters, types and
ranges of values and the expected content of the API body. Well-documented APIs combined with a good API
protection solution will dramatically increase protection.

However, in most cases, not all APIs are documented. And even if they are, APIs change more frequently than
applications. As a result, API documentation and security policies must be updated regularly, which can be a
resource intensive, time-consuming task when performed manually.

Effective API protection must include auto discovery of APIs. This includes discovering their existence,
structure (that is, schema), possible parameters, type of parameters and their value ranges. A good discovery
engine can also automatically generate and apply a tailored security policy to match the discovered APIs. This
is the best way to effectively protect an API throughout its lifecycle.

Prev Next Radware | API Security eBook 7

 Assumption 4: A Dedicated API Protection Solution Provides
Introduction

Adequate Protection The Numbers Behind

Automated Threats to APIs Ensuring comprehensive API protection that covers the aforementioned API Security
recommendations is a start, but it is not enough to protect associated
applications. API and application protection are two sides of the same coin By 2025, fewer than 50% of
Four Assumptions that Prevent when it comes to security. Threat actors who can’t exploit API vulnerabilities enterprise APIs will be managed,
Effective API Protection
will simply focus their efforts elsewhere, such as an application vulnerability as explosive growth in APIs will
unrelated to the API or by assaulting the application infrastructure. surpass the capabilities of API
Key Capabilities for Comprehensive management tools.
Application and API Security API and application protection must be viewed holistically; your security is
only as strong as its weakest link. API protection is one important component
Source: “Predicts 2022: APIs Demand Improved
in your overall application protection architecture, which should also WAF, bot Security and Management,”, Gartner Research,
API Security Checklist December 6, 2021.
management and DDoS protection.

If you can manage these solutions from a single pane of glass and synchronize
About Radware them, you’ll ensure comprehensive application and API protection.

Prev Next Radware | API Security eBook 8

Introduction

Key Capabilities for Comprehensive Application

Automated Threats to APIs
and API Security
Four Assumptions that Prevent Ultimately, your goal should be to establish a comprehensive application and API security strategy
Effective API Protection
that manages API, application and infrastructure protection holistically. An enterprise-grade API
Key Capabilities for Comprehensive security solution leverages automated API discovery and provides machine learning–based
Application and API Security algorithms to generate and optimize security policies in near-real time. These capabilities should
be tightly integrated with bot management, application security and DDoS mitigation solutions.
API Security Checklist Consider the following capabilities when evaluating API security solutions.

About Radware
Frictionless API Auto Discovery
In many organizations, not all API documentations are properly detailed, updated or actually created. To tailor a
dedicated security policy for these types of APIs, automated API discovery algorithms should be leveraged to
continuously discover APIs, their endpoints and undocumented changes. Based on the discovered API catalogs,
a tailored security policy is generated to protect these APIs. The result is frictionless, optimized protection for
documented and undocumented APIs.

Positive and Negative

Accurate auto-policy generation based on both positive and negative security models helps continuously
optimize security policies and eliminate false positives.

Prev Next Radware | API Security eBook 9

Introduction
Schema Enforcement
Whether provided through an OpenAPI documentation file or the aforementioned auto discovery, every API
Automated Threats to APIs endpoint includes definitions for its parameters’ type, size and values range. All API requests content (API
parameters, headers and body) will be scanned against the defined parameters. If a parameter’s value in the
request does not conform to the defined parameter schema, it will be blocked.
Four Assumptions that Prevent
Effective API Protection
Embedded Attack Protection
Key Capabilities for Comprehensive Scanning allowed API requests helps detect and block embedded known types of attacks in the API parameters,
Application and API Security
including injections, deserialization attacks, JSON exploits, XML bombs and more.

API Security Checklist

Security Policy Self-Optimization
Machine learning–based security algorithms help ensure security policies are accurate enough to block attacks
About Radware
while not impacting or blocking legitimate traffic. They should automatically suggest and apply security policy
adjustments on the fly to correct and eliminate false positives.

API Protection Against Automated Threats

Machine-learning algorithms detect malicious bot activities targeting APIs from automated attacks such as
account takeover attacks (token cracking, credential staffing and account creation), content scraping and data
harvesting and fraud.

Prev Next Radware | API Security eBook 10

Introduction
Data Leakage Prevention
API responses requests are inspected to detect sensitive data (CCN/SSN/ID) and mask it.
Automated Threats to APIs

API Quote Management

Four Assumptions that Prevent
To ensure API usage is not abused or overused, an API protection solution should limit the number of API calls
Effective API Protection
during a configurable timeframe per API endpoint and per source.

Key Capabilities for Comprehensive

Application and API Security Consistent and Agnostic Security
A single security engine and policy should be applied across any and all environments – on premise, private
API Security Checklist cloud and public cloud – and underlying application architectures.

About Radware

Prev Next Radware | API Security eBook 11

Introduction

API Secuirty Checklist

Automated Threats to APIs
For comprehensive application and API protection, ensure you’re aligning specific use cases with the right
security solutions.
Four Assumptions that Prevent
Effective API Protection Use Case Security Solution

Monitor and manage API calls coming from automated scripts (bots) Bot Management Solution
Key Capabilities for Comprehensive Implement measures to prevent API access by sophisticated human-like bots Bot Management Solution
Application and API Security
Ensure each API call is authenticated and authorized API Gateway
Enable robust encryption Application Delivery Controller
API Security Checklist
Deploy token-based rate limiting equipped with features to limit API access API Gateway/API Protection Solution
based on the number of IPs, sessions and tokens

About Radware Enable comprehensive logging of requests and responses API Gateway/API Protection Solution
Scan incoming requests for malicious intent API Protection Solution/Bot Management
Scan all parts of the API (header, body and parameters) API Protection Solution
Support clustered API implementation to handle fault tolerance and scalability Application Delivery Controller
Use positive and negative security models to protect against zero-day attacks WAF/API Protection Solution
Track usage and journey of API calls to find anomalies Bot Management/API Protection Solution
Ensure API infrastructure security and management is scalable Application Delivery Controller
Follow a methodology to eliminate false positives using automated tools (preferred) API Protection Solution/WAF
Enable API endpoints quota management API Gateway/API Protection

Prev Next Radware | API Security eBook 12

Introduction

Download How to Keep Apps and APIs Secure in an

Automated Threats to APIs
Interconnected World to Understand Six Key Strategies
for Comprehensive Application and API Protection
Four Assumptions that Prevent
Effective API Protection

Key Capabilities for Comprehensive

Application and API Security
Learn More How Radware Secures APIs to
Protect Data and Safeguard Applications
API Security Checklist

About Radware

Prev Next Radware | API Security eBook 13

Introduction
About Radware
Radware® (NASDAQ: RDWR) is a global leader of cybersecurity and application delivery solutions for physical, cloud and software-
Automated Threats to APIs defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application and
corporate IT protection and availability services to enterprises globally. Radware’s solutions empower more than 12,500 enterprise
and carrier customers worldwide to adapt quickly to market challenges, maintain business continuity and achieve maximum
Four Assumptions that Prevent productivity while keeping costs down. For more information, please visit www.radware.com.
Effective API Protection
Radware encourages you to join our community and follow us on: Radware Blog, LinkedIn, Facebook, Twitter, SlideShare, YouTube,
Key Capabilities for Comprehensive Radware Connect app for iPhone® and our security center DDoSWarriors.com that provides a comprehensive analysis of DDoS
Application and API Security attack tools, trends and threats.

API Security Checklist

About Radware

© 2022 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications
of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Prev