API Security Landscape: Protecting APIs from Automated Attacks and Abuse

APIs are emerging as a bridge to facilitate interoperability between different systems, networks, and applications. They also help drive a growing variety of devices and systems on the Internet of Things (IoT) to enable innovative functions that consumers, enterprises, and governments demand and expect.

Most IT ecosystems and architectures, from websites to mobile applications, rely on databases that are queried for user authentication, inventory checks, location services, payment card verification, and so on, which are dependent on APIs. The growing use of micro-service and cloud architectures, and the increasing reliance on specialized third-party services, including the providers that use Open APIs to initiate calls between applications, are making APIs more crucial than ever in facilitating convenient and seamless access to IT-enabled services.

Despite their rapid and widespread deployment, however, APIs remain poorly protected, which makes them vulnerable to attacks like enumeration, decompiling, insecure pagination or even accidental API key exposure that put business-critical data and services at risk, including Personally Identifiable Information, payment card data, and other confidential information.

According to Radware Bot Manager research, in 2019, bad bot hits on APIs steadily increased in each quarter:

Sophisticated bots take advantage of API vulnerabilities such as authentication flaws, lack of robust encryption, and poor endpoint security to perform malicious attacks like account takeover, application DDoS, carding, and various forms of API abuse. Most API gateways and WAFs fail to detect sophisticated human-like bots, making them vulnerable to sophisticated bot attacks by fraudsters, competitors, and intelligence-gathering agencies.

Symptoms of a Bot attack on APIs.

  • Single HTTP request
  • An increase in the rate of errors
  • Extremely high application usage from a single IP address or API token
  • A high ratio of GET/POST to HEAD request for a user/ session/ IP address/ API token compared to legitimate users

How can Radware protect your APIs from bad bot attacks?

Radware Bot Manager defends Web, mobile applications, and APIs against automated attacks. It ensures that only legitimate users and devices can access your Internet properties by leveraging proprietary Intent-based Deep Behavior Analysis (IDBA) and machine learning technologies to understand the intent behind every visitor, and to block malicious automated activities.

For APIs, Radware Bot Manager provides dedicated enterprise-grade protection from automated threats by:

  • Addressing gaps in unique source identification in M2M communications through our API-Client SDK
  • Preventing out of context API invocation (for Web and mobile APIs)
  • Establishing authentication flows to validate legitimate access to assets
  • Detecting anomalous navigation flows or access patterns

To know more about how Radware Bot Manager protects your APIs, networks and applications from bot attacks, contact us at botmanager_info@radware.com or download our whitepaper here.

Originally published at www.radwarebotmanager.com on December 15, 2020

--

--

--

Radware Bot Manager(formerly ShieldSquare) is a non-intrusive API-based Bot Management solution to manage bot traffic from website and app. www.shieldsquare.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HacktheBox — Bastion

Detecting Malicious C2 Activity — SpawnAs & SMB Lateral Movement in CobaltStrike

What to Do if Your Healthcare Organization Is Hacked

BUGC Joury continues — Praise System for Developers

Praise System for Developers

{UPDATE} Kids Train Construction Set Hack Free Resources Generator

Kerberos — Authentication Protocol

Whatever They Told You About WLAN Is Dead WrongAnd Heres Why

SIGN WEEK highlights

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Radware Bot Manager

Radware Bot Manager

Radware Bot Manager(formerly ShieldSquare) is a non-intrusive API-based Bot Management solution to manage bot traffic from website and app. www.shieldsquare.com

More from Medium

What Ails Enterprise Authorization

A Q&A on Ransomware Mitigation: Tackling Increasingly Sophisticated Cyberthreats

Cyberark Conjur vs Hashicorp Vault

Compliance and Security for an Improved DevOps World