BLOG

API Security is not Web Application Security!

When we started 42Crunch 3 years ago, we were convinced that a new market segment would emerge: API security. And the market is now catching up with our vision!

This is exemplified by the recent release of the OWASP Top 10 for API Security threats document, which highlights threats that do not apply to traditional web applications. In other words, if your security products protect you against the traditional OWASP Top 10, they probably don’t properly protect your API traffic.

We have confirmed this problem with many of our prospects, who thought that by configuring their existing WAFs, they would be able to protect their APIs, complementing the authentication and authorization mechanisms provided by their API Management solutions. In most cases, the result has been far from satisfactory: the WAFs configuration ended up being very complex to put in place, triggered many false positives, and forced customers to fall back to generic rules that just caught the obvious issues (like injections).

As noted in the Gartner’s Hype Cycle for Application Security, 2019:

“Leading cloud WAF vendors are adding features, moving closer to a more comprehensive web application and API protection (WAAP) solutions. However, API protection continues to be very basic, sometimes limited to applying the same signatures rather than for protecting more traditional web applications.”

The report then adds:

“Mobile applications and the growing number of publicly exposed APIs create new development opportunities for WAFs. Gartner observes, though, that innovation continues to happen mostly outside of the traditional WAF vendor landscape.”

Indeed, we feel protecting APIs needs a new approach. As the OWASP Top 10 for API Security document highlights, API threats are a superset of Web application threats. While injection-based issues are common to both types of traffic, APIs suffer from critical issues related to resources access and data access or exfiltration.

An example would be a vulnerability where the first problem is that the API returns all the resource information as a JSON object, relying on the client application to filter the information at the UI level. This call now exposes critical information, easily accessible via a web proxy. This problem can be further exploited if the API also allows to update the information via a “hidden” POST call, allowing a hacker to credit their user account without ever making a payment.

Protecting yourself from such attacks implies limiting requests and responses to the ones exposed by the API contract. You cannot create generic denylist rules for this. You need to rely on a positive data model whereby the API firewall knows what is allowed or not via the contract and can also validate who the user is (their role for example) before allowing access to a resource.

To address such a need, our auditing service ensures the quality ofĀ your API contract, while our API firewall automatically enforcesĀ what the API contract specifies.

But tools are not enough: in order for API security to work, it needs to be fully part of the API lifecycle.Ā We will detail in an upcoming blog why a DevSecOps approach is critical to API security!

 

Try our security audit for free. If you want to see the whole platform in action, request a demo now!

For news on all things API – visit APIsecurity.io and sign up for the weekly newsletter.

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar
Nov 5, 2024
PST 9am | EST 12pm | GMT 5pm

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar
Nov 5, 2024
PST 9am | EST 12pm | GMT 5pm

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.