Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Thursday, 20 August 2020 19:25

How to Keep APIs secure from bot attacks

By
Yaniv Hoffman, Vice President Technologies, Radware Yaniv Hoffman, Vice President Technologies, Radware

GUEST OPINION by Yaniv Hoffman, Vice President Technologies, Radware: The widespread adoption of mobile IoT devices, emerging ‘serverless’ architectures hosted in public clouds, and the growing dependency on machine-to-machine communication, are reasons to make changes to modern application architectures.

Application programming interfaces (APIs) have emerged as the bridge to facilitate communication between different application architectures. APIs allow for quicker integration and faster deployment of new services.

In addition, DevOps requires end-to-end process automation that leverages APIs for service provisioning, platform management and continuous deployment.

Despite rapid and widespread deployment, APIs remain poorly protected and automated threats are mounting. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks.

Symptoms of Bot Attacks on APIs are:

  • Single HTTP request (from a unique browser, session or a device)
  • An increase in the rate of errors (e.g., HTTP status code 404, data validation failures, authorisation failures, etc.)
  • Extremely high application usage from a single IP address or API token
  • A sudden uptick in API usage from large, distributed IP addresses
  • A high ratio of GET/POST to HEAD requests for a user/session/IP address/API token compared to legitimate users.

Key API vulnerabilities and automated attacks

Authentication flaws and account takeover. Many APIs do not check authentication status when the request comes from a genuine user. Attackers exploit such flaws in different ways, such as session hijacking and account aggregation, to imitate genuine API calls.

Attackers also reverse engineer mobile applications to discover how APIs are invoked. If API keys are embedded into the application, an API breach may occur. API keys should not be used for user authentication. Cyber criminals also perform credential stuffing attacks to takeover user accounts.

Lack of robust encryption. Many APIs lack robust encryption between the API client and server. Attackers exploit vulnerabilities through man-in-the-middle attacks. Attackers intercept unencrypted or poorly protected API transactions to steal sensitive information or alter transaction data.

Also, the ubiquitous use of mobile devices, cloud systems and microservice patterns further complicate API security because multiple gateways are now involved in facilitating interoperability among diverse web applications. The encryption of data flowing through all these channels is paramount.

Business logic vulnerability. APIs are vulnerable to business logic abuse. This is exactly why a dedicated bot management solution is required and why applying detection heuristics that are good for both web and mobile apps can generate many errors — false positives and false negatives.

Poor endpoint security. Most IoT devices and microservice tools are programmed to communicate with the server via API channels. These devices authenticate themselves on API servers using client certificates. Hackers attempt to gain control over an API from the IoT endpoint, and if they succeed, they can easily re-sequence the API order, thereby resulting in a data breach.

An API security checklist

The following top 9 best practices are a must for protecting API infrastructures against hacking and abuses:

  • Monitor and manage API calls coming from automated scripts (bots)
  • Drop primitive authentication
  • Implement measures to prevent API access by sophisticated human-like bots
  • Robust encryption is critical
  • Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions and tokens
  • Comprehensive logging of requests and responses
  • Scan the incoming requests for malicious intent
  • Supporting clustered API implementation to handle fault tolerance
  • Track usage and journey of API calls to find anomalies.

For more information.

Read 2675 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GET READY FOR XCONF AUSTRALIA 2022

Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.


Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event

GET YOUR TICKET!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Staff Writers

Our Staff Writers and Guest Writers contribute content to iTWire each day and they are available asset to the team. If you want to be a staff writer please contact us.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments