Don’t Leave Your APIs Undefended Against Security Risks

A bigger footprint creates more risks of attackers exploiting the expanded attack surface, which now includes a variety of APIs.

Sep 17th, 2021 6:48am by Brian Schwarz

Featued image for: Don’t Leave Your APIs Undefended Against Security Risks

Photo by Tima Miroshnichenko from Pexels.

Brian Schwarz

Brian is director of product for application security at Fortinet. With over 20 years of experience working with networking and security solutions for the enterprise, Brian focuses on Fortinet’s web application and API security solutions.

As your digital footprint grows, your organization’s attack surface grows with it. Digital footprints are growing more than ever before, with the rollout of new web applications to support business initiatives and as older applications are updated to take advantage of the latest technologies. A bigger footprint creates more risks of attackers exploiting the expanded attack surface, which now includes a variety of APIs used to support sophisticated web and mobile applications.

There was a time when it was simple to defend a well-defined network perimeter, but those perimeters have become more porous by necessity, and users today demand access to their digital tools from any internet connected device. To compete in today’s world, organizations need to support access to data from anywhere while also securing the APIs of their most sensitive data.

APIs Are a Critical Business Tool

Web apps used to simply send HTML content to a browser for display. Now, they typically expose APIs that enable clients to deliver a rich application experience to end users. That client could be a traditional web browser or a mobile application. It might also include B2B communication, where the information is never displayed directly to a human user (e.g., two companies sharing inventory information).

These APIs have become crucial line-of-business tools and underpin many critical business processes. Traditional security tools, such as basic web application firewalls (WAF), do not adequately address the full attack surface for modern web applications. A traditional WAF solution that only protects against the classic OWASP Top 10 attacks (e.g. SQL Injection, cross-site scripting, et al.) may be enough to technically meet a compliance requirement. But when you deploy a web app and expose APIs that access sensitive information to the internet, you need a modern WAF, or Web Application and API Protection (WAAP) , solution that will defend your entire attack surface.

Every Cloud Security Strategy Should Include API Protection

Many organizations are looking to address these security challenges within the applications themselves. For APIs, it’s possible to implement controls within each application to mitigate the risks of the APIs that are exposed. These controls may include validating inputs, implementing rate limits and controlling access to the API using API keys or other restrictions. Many of these controls included in open source and commercial off-the-shelf web applications are being used as building blocks for creating, deploying and maintaining an organization’s own apps.

Relying on this approach for API security carries its own risk. Application developers, under pressure to deliver features and improve metrics based around uptime and performance, don’t always make implementing and managing these kinds of security controls a top priority. DevOps professionals may not have the security expertise or background required. In many organizations, even if application security is a focus, the organization may have multiple development teams with their own approach and level of scrutiny. This decentralized approach makes it difficult to maintain a consistent security posture across the API attack surface.

Use a Platform Approach to Secure Multiple Environments

Speaking of silos, disparate security approaches also create silos that can affect visibility. This can hinder threat detection and complicate the organization’s ability to see the full scope of a security incident. When creating a cloud security strategy, DevOps teams should consider adopting and implementing consistent policies that work in, across and outside of cloud environments. Use tools that allow for security configurations that can be centrally applied, tested and updated, and that support creating a consolidated view of the threats you face. This kind of consolidated view will also help security teams focus more on response and less on collecting information.

A security platform that includes WAAP functionality combined with a common management, analysis and orchestration interface can help. This platform approach should include API security controls that can be deployed for every exposed API, which could include APIs deployed in multicloud and hybrid environments.

The solutions you implement should also have the ability to block API threats using a WAF or other API gateway. This additional layer of security must be easy to manage, monitor and maintain, and be deployable without interfering with the other priorities driving application development. Mitigating threats before they reach your application conserves application resources that would otherwise be used in detecting invalid or malicious actions.

Securing Your APIs

A recent Cybersecurity Insiders report commissioned by Fortinet found that 48% of respondents had more than 100 unique applications running in their environment, with 26% reporting more than 500 unique applications. The proliferation of applications being deployed, especially in support of a work-from-anywhere model, makes it even more critical for organizations to implement advanced security for their applications and not leave APIs undefended.

FortiWeb and FortiWeb Cloud solutions, part of the Fortinet Security Fabric, provide the capabilities any organization needs to secure their web applications and APIs.