Application programming interfaces (APIs) have become an integral part of almost every network, program, application, device, and computing environment. This is especially true of cloud and mobile computing, neither of which could possibly exist in its current form without an API to tie everything together and manage much of the backend functionality.
Due to their reliability and simplicity, APIs are ubiquitous across computing environments. Most organizations don’t even know how many APIs are running in their network, especially in the cloud. Large enterprises probably have thousands of APIs in use, and even smaller organizations may rely on more APIs than they realize.
Danger of APIs
As convenient as APIs have become, their use has also created dangers. Because there are few standards for creating APIs, and many standards are proprietary, it’s not uncommon for APIs to contain exploitable vulnerabilities. Malicious actors have often found it much easier to attack APIs than directly targeting programs, databases, applications, or networks. It’s not difficult to change the functionality of an API once compromised, making it a kind of turncoat insider working for hackers.
Another big danger with APIs is that they are often over-permitted. Programmers give them high privileges so that they can perform functions without interruption. But if an attacker compromises the API, they can do other things with those elevated permissions, just as if they had compromised a human administrator’s account. This has become such a big issue that Akamai’s research shows that attacks against APIs account for 75% of his attempts to steal all credentials worldwide. Attackers know that APIs are vulnerable and ubiquitous, and they are attacking them.
The rise of API security tools
Given how serious the problem of API hacking is, it’s no surprise that the number of API security tools has exploded in recent years. There are dozens of commercial tools and hundreds of free and open source tools designed to protect APIs. Many share similarities and features with other types of cybersecurity programs, but are specifically configured for the unique nature of APIs.
API security tools generally fall into one of several categories, although some offer complete platforms that try to do it all at once. The most popular type of API security tool these days is something like an API firewall, which protects your APIs from malicious requests. Other tools are designed to dynamically access and evaluate specific APIs, look for vulnerabilities, and harden that code against attacks. Still others are of the opinion that an organization can simply scan its environment to discover how many APIs exist within its network, and not protect anyone it doesn’t know.
Trying to compile a complete list of API cybersecurity tools would be difficult given the sheer number of them. However, when examining both user and commercial reviews, some tools start to stand out. Below are some of the main tools available for enhancing API security, along with a brief description of their strengths and capabilities. This list doesn’t include hundreds, but should give you a good snapshot of what’s available and possible when trying to protect your APIs against today’s increasingly hostile threat landscape. .
Here are the top nine security tools available today.
One of the most popular API security tools, APIsec is almost completely automated, making it ideal for organizations just starting to improve their API security. In a production environment where APIs are already established, APIsec scans them and tests them for common vulnerabilities such as script injection attacks. However, we fully stress test each API to ensure that it is hardened against things like business process attacks that are not easily detected. If any issues are found, they are flagged with detailed results for security analysts.
APIsec can also be actively used by developers as APIs have been created. That way, just in case, APIsec continues to monitor your APIs after they’re deployed, eliminating vulnerabilities before they’re published.
Astra is a free tool, but this means it has limited support and users must obtain it from GitHub and install it in their environment. That said, the tool has a reputation for helping manage and secure very specific types of APIs.
Astra is primarily focused on Representational State Transfer (REST) APIs, which change frequently and can be very difficult to test and secure. Astra can help by integrating into your organization’s continuous integration and continuous delivery (CI/CD) pipeline. Avoid creeping into seemingly secure REST APIs, as the most common vulnerabilities that can affect your APIs are constantly changing as part of their functionality.
AppKnox is known to be very supportive of its user base. The platform has a very easy-to-use interface to begin with, but the company has also provided a lot of help in deploying and using it. Because it can support it, it has been adopted by many organizations with small security teams.
Once installed, AppKnox tests your API for common issues such as HTTP request vulnerabilities, SQL injection initiation, and more. It also scans all resources that connect to your APIs to ensure they are not a valid attack vector for hackers.
Sequence integration API protection
The Cequence Unified API Protection platform is designed for organizations deploying enterprise environments that need to handle billions of requests made to APIs every day. A scalable protection platform initially discovers all APIs in your organization and files them in an extensive inventory. APIs can then be subjected to general tests for vulnerabilities or defined specific tests that security teams need to run against groups of APIs. This is very useful not only for protecting APIs, but also for complying with government or industry regulations that require specific protections to be in place.
Also supporting Cequence’s enterprise focus is the ability to set automated protections or actions that should be taken in response to an attack or suspicious interaction with an API. Cequence handles this itself, so there’s no need to include external security devices such as firewalls to enable its protection. This offloads these external peripherals and speeds up response times, so your API is almost instantly protected from live threats.
Data Theorem API Secure
Data Theorem API Secure can inventory all APIs that exist within a network, cloud, application, or other target. This is a great option for organizations that want to improve their API security but don’t know where to start or how many APIs they have. API Secure also keeps your API inventory up to date and quickly finds new APIs deployed.
Once discovered, API Secure acts like a hacker and tests every API for vulnerabilities. Then flag that API to allow humans to independently examine and automatically fix many vulnerabilities.
Salt Security API Protection Platform
The Salt Security API Protection Platform is highly advanced and one of the first platforms to fully leverage artificial intelligence and machine learning to detect and stop threats to your APIs. The platform does this by collecting API traffic across the network and analyzing what calls are being made to the API and what the API is doing in response. Then compare what you see locally with the traffic data stored in your cloud-based big data engine. It can then stop most attacks and highlight suspicious activity to alert human security teams or take action based on their settings.
The platform continues to learn over time, and the more time it spends exploring a network of APIs, the better it will be at determining acceptable behavior for that particular network.
no name security
Noname Security is highly rated by large corporations supporting large enterprise environments. Reportedly used by 20% of Fortune 500 companies. It is designed to go beyond the standard API vulnerability checking protections offered by some platforms by analyzing the traffic data that travels through your API. Then use AI and machine learning to look for malicious activity.
Noname Security supports the use of both common and non-standard APIs in its tests. For example, it fully supports HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC APIs. You can also use traffic data to discover, catalog, and protect APIs that aren’t managed by API Gateway or your own APIs that don’t follow standard protocols.
Smartbear Ready API
Smartbear ReadyAPI is focused on the development environment and can be used not only to test for security vulnerabilities while building APIs, but also to monitor API performance. That way, developers can see what happens if, for example, the API encounters a very large amount of data. This is also a security issue.
As part of that testing, users can configure the type of traffic to inject into the API under development. Alternatively, ReadyAPI can capture real traffic from your organization’s network and use it for very realistic testing. ReadyAPI natively supports Git, Docker, Jenkins, Azure DevOps, TeamCity, and more.
Wallarm end-to-end API security
The Wallarm end-to-end API security platform is designed to work in cloud-native environments with many APIs, but it also works to protect APIs residing on on-premises equipment. This includes all kinds of threats made against APIs, from those on the Open Web Application Security Project (OWASP) top vulnerability list to specific threats such as credential stuffing that are often made against APIs. Designed to protect.
Wallarm also helps mitigate distributed denial of service (DDOS) attacks by bots, reconnaissance intrusions, or outright attacks. Given the fact that most of the traffic on the internet today consists of bots, this is a nice feature to have in your security tool.
The platform also provides a detailed look and overview of an organization’s entire API portfolio based on user traffic. This gives you insight into not only security, but also how your organization uses APIs and areas that need improvement. While that’s not the main purpose of the Wallarm platform, detailed reporting certainly helps in other areas outside of security as a bonus for using the platform.
Copyright © 2023 IDG Communications, Inc.