Speaking during the online Web Summit 2020, Daniele Molteni, firewall product manager at Cloudflare, discussed the most common security threats for API traffic and outlined strategies for identifying vulnerabilities and defending critical infrastructure.
Molteni said that APIs are the lifeblood of modern internet-connected services but are also becoming increasingly challenging to secure for organizations.
“Over the last year, the growth of API traffic has been three-times faster than web traffic,” he explained. “There is a clear trend of more API traffic and the need to be more specific on protecting APIs” by investing in API security technology.
With regards to the common security risks that surround API traffic, Molteni cited threats that fall into three distinct groups.
These are: broken authentication and broken authorizations (group one), mass assignment, data exposure and injection attacks (group two), and abuse of resources and shadow APIs (group three).
Such security risks and threats are taking their toll on organizations too, he continued, adding that there are two main API security pain points affecting businesses right now.
The first is the “effect of API vulnerabilities on everyday operations,” which can result in software development velocity being reduced and frictions that hamper API adoption and growth.
The second revolves around the fact that common web security solutions are often not well-suited to securing API traffic, with high false positive rates, a lack of API-specific high value features and a lack of visibility of API traffic.
When it comes to addressing and mitigating API security risks and threats, Molteni said that there are two key principles for implementing a security strategy.
“The first is to manage access; access is one of the biggest things you need to control,” he explained. This should focus on controlling who makes requests and limiting the use of costly resources (backend, processing, serving, etc.).
“The second [principle] is scalability and efficiency when checking for vulnerabilities,” which involves having a strategy for narrowing-down and validating complex payloads when necessary.
In implementing these two principles, businesses should be able to put in place a ‘funnel-like,’ multi-layered incremental approach to removing the noise of API traffic – and “by removing the noise, you also remove what is actively malicious,” said Molteni.
However, he concluded with the advice that “there is no one-size-fits-all solution – and the security system you choose to implement depends on your infrastructure, data type and business goals.”