The document discusses monitoring and responding to API breaches. It notes a large increase in API traffic and attacks in recent years as companies increasingly leverage APIs. Responsibility for API security is often unclear as it involves multiple teams. Many companies secure APIs the same way they secure web applications, which can be insufficient. The document recommends establishing API discovery, threat monitoring, integration with security platforms, and log retention to aid in prevention, detection during incidents, and post-incident forensics. Tools like WAFs, API gateways, and testing can help, but a holistic approach across the development lifecycle is needed to properly secure APIs.
2. THE
THREAT
LANDSCAPE
Companies are leveraging APIs more frequently. With
a total increase of API traffic of 321% (Salt Security,
2022) in comparison to last year.
With the majority of the companies cite
• Development Efficiencies/ Standardization
• Platform System Integrations
• Cloud Migration
As the main drivers behind the use of API.
In 2021, a total increase of 681% (Salt Security. 2022)
of attack traffic for APIs was detected.
“Gartner predicts that by 2022,
application programming interface (API)
attacks will become the most-frequent
attack vector...” Companies are struggling to keep up with the
deployment of APIs unable to perform security testing
fast enough .
A narrow view on API Security, viewing prevention
as the only security strategy.
3. THE
THREAT
LANDSCAPE
Platform or Product Team ,
2% Other , 1%
DevSecOps, 12%
DevOps, 11%
Developers, 29%
AppSecTeam , 21%
API Team , 14%
Infosec , 10%
A multi- department approach is needed to tackle
all of the challenges with API security.
Efforts to fill in the gaps in knowledge regarding
API security is necessary for all teams involved.
Companies are struggling to define responsibilities
for API Security.
41% Companies secure their APIs in the same way that
they secure their web applications (Dark Reading,
2021)
4. WHAT
ABOUT
MONITORING
PREVENTION RESPONSE FORENSICS
Before the Incident During the Incident After the Incident
API Discovery Behavior and Analytics
Identify your business as usual
Threat Monitoring
Log and identify malicious activity
Integration
Consolidate to a security platform
(e.g. SIEM, XDR)
Use Case Creation
e.g Create alarms based on
applicable use cases.
Log Retention
Historical logs will prove critical
during forensics effort.
Shadow API: APIs that existing outside
of the official maintenance processes.
Zombie API: Forgotten APIs
T O O L S 1 0 1 T O O L S +
CDN/
ADC
WAF
API
GATEWAY
Helps with latency, reliability and traffic spikes and
provides some protection against volumetric DDOS
Attacks
Will provide protection against application layer
attacks such as SQL injection, cookie poisoning and
cross-site scripting (XSS).
Supports companies in routing API request,
aggregating API responses etc.… whilst protecting
against an array of vulnerabilities. (e.g. Invalid input)
Dynamic and Static Application
Test
API Penetration Testing
My name is Carolina Ruiz, CEO of Brier & Thorn, Managed Security Service Provider and a long-time cybersecurity and compliance enthusiast.
According to the report “State of API Security” by Salt Security.
As you can see between the growth % of API traffic and API attack traffic, is disproportionate. Meaning that we not only seen the the growth in attack traffic that match the growth in API infrastructure, but we see that this the attack traffic doubles it.
The narrow view focusing almost exclusively on the prevention aspect of security. We got so caught up in protecting from an API attack that we lose sight that we should focus on protecting our environment or data from the risk associated to APIs – not just the API attack vector.
I’ve included this statistic from Drak Readings Secure Applications Survey, which states that 41% of companies use the same tools ans strategies to protect their API as they do with their web application. In this situation a good example would be relying solely on having a Web Application Firewall in place, although a WAF has its place within application security Its main focus it to protect against the OWASP Top Ten which difer from the OWASP AP Security Top Ten – effectively creating a gap in security and visibility.
Lastly these following points focus on the confusion around the ownership of API Security, as detailed by the chart (From the Salt Security report) there is an evident confusion across companies of who should own it.
Mention: Christine Bottagaro – Resurface on the importance of collaboration from the security team and development team – often times with the development not receiving sufficient training on security and on the other side security engineers coming from a network background requiring more training on the API side.
So how do we go about monitoring.
Threat Monitoring: Maintaining an API logging system will be critical to identify anomalous and potentially malicious traffic promptly and aid the response time for security teams. Logging input validation failures, application errors and events that deal with the API functionality such as payments and settings.
If there is anything I want you to leave this talk with, is that security monitoring for APIs is critical for companies and they must take a holistic and multi department approach. It is not enough to apply controls at the development level, we must ensure that we are prepared to monitor and respond to incidents as part of security operations as a whole.
II have included Brier & Thorn’s social media accounts as well as my personal accounts, if you want to follow, look at our content or just say hi. Thank you to API Secure for having me and ill open up for any questions.