Imagine your reaction if a stranger appeared from under your bed while you were asleep, committed nefarious actions, and then left without leaving any trace that he was ever there. This is the plot of the Spanish movie Sleep Tight, where César, a concierge of an apartment building who has keys to every residence, is committed to upsetting the lives of his tenants.
Although this scenario may sound absurd in real life, the truth is that situations like this happen every day in today’s business world.
3-Fold Increase in API Attacks Raising Alarms
In the real business world, “strangers” also go undetected within your enterprise databases. And it’s your application programming interface (API) that holds the keys that allow access to those critical databases. In today’s digital era, APIs have become a vital pathway for delivering data and connection services. With E-Commerce websites, for example, API interfaces help systems obtain real-time inventory and logistics information.
Within the context of digital transformation, an increasing number of APIs are being shared with enterprises. As API sharing increases, so do the security risks that accompany their distribution. According to CDNetworks’ State of Web Security 2021, the number of API attacks in 2021 increased by more than 200% over 2020. This explosive 3-fold surge reveals that the API attacks have been valuable targets for cybercriminals.
Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications, and that by 2024 the threat of security issues related to data breaches will double. In addition to data breaches, attackers have also been known to manipulate API data and overload enterprise servers by attacking API interfaces, all of which puts your online services at risk.
The Three Biggest Challenges Facing Enterprises Today
Being aware of the risks to your API resources is simply not enough. The fact that well-known companies such as Twitter, Facebook, and Instagram have fallen prey to API attacks is serving as a wake-up call for enterprises to re-enforce their API security posture. Some have even postponed the release of new applications for fear of exposing vulnerabilities to themselves and their customers. So the question is: How can today’s enterprises secure and manage API resources to reach the ideal balance between innovation and security?
Challenge 1: Daunting Amount of API Interfaces to be Managed
It is not unusual for a typical system to have thousands of APIs. The rapid development and frequent iterations of API revisions has led to a new threat called “zombie” APIs. Zombie APIs are APIs that have been deprecated and assumed to be disabled, but actually continue to lurk within the application infrastructure. They can be exploited by malicious abusers to steal data, conduct fraudulent transactions, or gain access to an organization’s systems. Given this dire situation, it is no wonder that improper asset management has been listed as one of the OWASP TOP 10 API Security Risks.
The root cause of zombie APIs can be traced back to improper asset management. To address this cause, enterprises are demanding full-cycle management tools that can monitor their entire API inventory, including public and private interfaces.
Challenge 2: Conventional Defense Strategies Lead to False Positives or False Negatives
Unlike web application attacks, most API attacks are initiated without malicious code injections. Rather, these attacks often exploit vulnerabilities inherent in API configurations, such as changes in configuration parameters or creation of extremely complex data structures. Because these vulnerabilities are due to API configurations, it is hard for conventional defense strategies to identify and intercept threats that exploit these vulnerabilities. Moreover, conventional defense strategies can lead to false positives or false negatives. For this reason, enterprises must adopt multi-dimensional defense strategies aimed directly at API attacks.
Challenge 3: Bad Performance during High Traffic Periods
API resources are now applicable to many scenarios and many industries. Some E-Commerce online platforms, for example, may regularly launch shopping festivals, such as Black Friday or Double Eleven, that last for several days. If servers are not sufficiently robust in handling the traffic that such festivals encourage, the servers may crash. Therefore, it is essential for organizations to strengthen their ability to distribute large amounts of traffic so they can handle concurrent traffic and stop cyberattacks at the edge.
Building a Full-cycle API Management Solution
From this discussion, we can see that API inventory management, security and protection, and visibility and analysis are key factors for safeguarding enterprise API resources. To that end, CDNetworks provides a full lifecycle management solution called API Shield（API安全防护） that addresses these critical factors using a three-dimensional approach.
When it comes to managing API inventory, API Shield uses advanced log analysis technologies to discover unknown API assets. By identifying request parameters and their corresponding API URLs, CDNetworks can assist enterprises in locating lost-contact API assets, defining API resources, and then managing their privacy and other critical factors across their full lifecycle. In this way, API Shield eliminates potential risks if those lost-contact API assets present themselves as new attack vectors in the future.
To ensure that all API calls are legitimate, API Shield uses multiple technologies to conduct authentication, multi-level compliance detection, and limiting request and concurrent request methods, among other tools, to identify malicious parameters, and then blocks the suspicious users. API Shield also performs other proactive actions based on observed risks and threat types. As one member of CDNetworks’ holistic solution, API Shield has been designed to work in concert with Application Shield(DDoS防护及Web应用防火墙) (DDoS Mitigation and WAF) and Bot Shield(机器人防护与管理) (Bot Management) to provide a comprehensive, one-stop cloud Web Application and API Protection (WAAP) solution.
Visibility & Analysis
API Shield offers a visual dashboard for enterprises to identify trends and guide business decisions, investigations, and security strategies. API Shield allows API traffic traversing the CDNetworks platform to be analyzed and correlated in context from many perspectives, including API distribution, API request trends, request source distributions, consumer calls, and risk event trends, to deliver the most accurate results possible. By doing so, enterprise can stop API threats before they materialize and, at the same time, identify which attackers pose the greatest risks.
To date, CDNetworks API Shield has protected business and data for a myriad of organizations, from 电子商务, Finance, and business travel to government affairs, medical care, and more. CDNetworks’ security platform continues to effectively block more than 600,000 malicious API calls per enterprise per day. To learn more about how we can protect your API resources and business, please contact us to get a free trial of CDNetworks’ API Shield.
As a global-leading CDN (Content Delivery Network) and Edge Service provider, CDNetworks delivers fully integrated cloud and edge computing solutions with unparalleled speed, ultra-low latency, rigorous security, and reliability. Our diverse products and services include web performance, media delivery, enterprise applications, cloud security, and colocation services — all of which are designed to spur business innovation.