Thursday, 20 August 2020 19:25

How to Keep APIs secure from bot attacks

By Yaniv Hoffman, Radware
Yaniv Hoffman, Vice President Technologies, Radware Yaniv Hoffman, Vice President Technologies, Radware

GUEST OPINION by Yaniv Hoffman, Vice President Technologies, Radware: The widespread adoption of mobile IoT devices, emerging ‘serverless’ architectures hosted in public clouds, and the growing dependency on machine-to-machine communication, are reasons to make changes to modern application architectures.

Application programming interfaces (APIs) have emerged as the bridge to facilitate communication between different application architectures. APIs allow for quicker integration and faster deployment of new services.

In addition, DevOps requires end-to-end process automation that leverages APIs for service provisioning, platform management and continuous deployment.

Despite rapid and widespread deployment, APIs remain poorly protected and automated threats are mounting. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks.

Symptoms of Bot Attacks on APIs are:

  • Single HTTP request (from a unique browser, session or a device)
  • An increase in the rate of errors (e.g., HTTP status code 404, data validation failures, authorisation failures, etc.)
  • Extremely high application usage from a single IP address or API token
  • A sudden uptick in API usage from large, distributed IP addresses
  • A high ratio of GET/POST to HEAD requests for a user/session/IP address/API token compared to legitimate users.

Key API vulnerabilities and automated attacks

Authentication flaws and account takeover. Many APIs do not check authentication status when the request comes from a genuine user. Attackers exploit such flaws in different ways, such as session hijacking and account aggregation, to imitate genuine API calls.

Attackers also reverse engineer mobile applications to discover how APIs are invoked. If API keys are embedded into the application, an API breach may occur. API keys should not be used for user authentication. Cyber criminals also perform credential stuffing attacks to takeover user accounts.

Lack of robust encryption. Many APIs lack robust encryption between the API client and server. Attackers exploit vulnerabilities through man-in-the-middle attacks. Attackers intercept unencrypted or poorly protected API transactions to steal sensitive information or alter transaction data.

Also, the ubiquitous use of mobile devices, cloud systems and microservice patterns further complicate API security because multiple gateways are now involved in facilitating interoperability among diverse web applications. The encryption of data flowing through all these channels is paramount.

Business logic vulnerability. APIs are vulnerable to business logic abuse. This is exactly why a dedicated bot management solution is required and why applying detection heuristics that are good for both web and mobile apps can generate many errors — false positives and false negatives.

Poor endpoint security. Most IoT devices and microservice tools are programmed to communicate with the server via API channels. These devices authenticate themselves on API servers using client certificates. Hackers attempt to gain control over an API from the IoT endpoint, and if they succeed, they can easily re-sequence the API order, thereby resulting in a data breach.

An API security checklist

The following top 9 best practices are a must for protecting API infrastructures against hacking and abuses:

  • Monitor and manage API calls coming from automated scripts (bots)
  • Drop primitive authentication
  • Implement measures to prevent API access by sophisticated human-like bots
  • Robust encryption is critical
  • Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions and tokens
  • Comprehensive logging of requests and responses
  • Scan the incoming requests for malicious intent
  • Supporting clustered API implementation to handle fault tolerance
  • Track usage and journey of API calls to find anomalies.

For more information.


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments