GUEST ESSAY – A primer on ‘WAAP’ – an approach to securing APIs at the web app layer

By Venkatesh Sundar

One could make the argument that Application Programming Interfaces — APIs – are a vital cornerstone of digital transformation.

Related: How a dynamic WAF can help protect SMBs

APIs interconnect the underlying components of modern digital services in a very flexible, open way. This has resulted in astounding innovations in cloud services, mobile computing, IoT systems and agile software development.

However, APIs have gained traction so rapidly and deeply that not nearly enough attention has been paid to the associated security shortcomings. Many organizations, SMBs and enterprises alike, do not understand the scope and scale of their deployments of APIs, much less how to go about effectively securing their APIs.

No surprise: threat actors are taking full advantage. Today, criminal hackers rather routinely leverage loosely-configured and lightly-monitored APIs in two ways: to gain a foothold in the early stages of multi-stage network attacks, and later to encrypt crucial systems and/or exfiltrate sensitive data.

API complexity

Whether it’s IoT (Internet of Things) devices, desktop applications, web applications native to the web browsers, or mobile applications – all these types of software rely on APIs in one way or another.

API refers to a set of rules that enable seamless transfer of application functionality. When we talk about the superpower of this microservice architecture, we should not forget- ‘great power comes with great responsibility’ – this holds true for API security.

Sundar

API security is more complex than traditional web security. The cost of spotting and fixing an API vulnerability can be 2X higher than fixing a web services’ bug. You might be tempted to think multiple layers of web application security are enough to cover APIs. But APIs security should not be considered the extension of web security.

Of course, there are common vulnerabilities between APIs and web applications, like buffer overflows, SQL injections, and broken authentication. But the move towards APIs has changed the basic communication metaphor between the clients and server, making it more vulnerable to functional attacks.

Tool limitations

The general-purpose application security tools like DAST, SAST, and WAF lack visibility on the extent of API security.

•WAF (Web Application Firewall) employs setting rules based on IP addresses, and monitoring traffics to block malicious IPs. These techniques can be effective enough to ward off simple web application attacks, but this is not the case with APIs, which have no signature that exploits unique application defects. At this point, other aspects of security beyond the signature-based analysis become critical.

•SAST (Static Application Security Testing) was not designed for API-centric apps. APIs are constructed with myriads of 3rd party frameworks and detecting application entry pointy is tricky. The unsupported framework and complex data flow reduce the accuracy of SAST assessment leading to high false positives.

•DAST (Dynamic Application Security Testing) lacks the context of APIs with automated testing and requires costly first time manual Penetration testing effort. This black box assessment analyzes running apps by enumerating endpoints as attackers or users would. With the complexity of API endpoints, the DAST scanners cannot have a deeper understanding of API security unless it is augmented with Manual PT effort.

The protection of APIs is not as adequate as what goes into a web application, making it ripe for API abuse. Addressing this challenge requires a deeper understanding of the nature of APIs.

How WAAP can help

Organizations can leverage a web application and API protection (WAAP), a unified positive security model for API security.

WAAP refers to a set of cloud-based security services specially designed to protect web applications and APIs. This security tool is far more advanced than a WAF that mostly monitors OWASP application threats. This, in effect, expanded WAF integrates, observes, and takes intuitive action when needed. With real-time logs and statistics, it can integrate well with the other applications the company uses.

 APIs are not insecure by nature, but due to the complexity and quantity of API adoption, it is easy to have security gaps and cyber risks waiting to leap out. Without proper functions, security testing, authentication checks, and input validation, APIs can become a perfect target. Hackers just need one loophole for a successful exploit.

They should try to innovate on further automating the discovery part of the API application, along with WAAP policy sets based on focused risk assessment done periodically on the API.

About the essayist: Venkatesh Sundar is founder and CMO of Indusface, an, India-based supplier of a managed platform used by more than 2,000 global customers to secure critical web, mobile and API applications.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone