BLOG

API Security is not Web Application Security!

When we started 42Crunch 3 years ago, we were convinced that a new market segment would emerge: API security. And the market is now catching up with our vision!

This is exemplified by the recent release of the OWASP Top 10 for API Security threats document, which highlights threats that do not apply to traditional web applications. In other words, if your security products protect you against the traditional OWASP Top 10, they probably don’t properly protect your API traffic.

We have confirmed this problem with many of our prospects, who thought that by configuring their existing WAFs, they would be able to protect their APIs, complementing the authentication and authorization mechanisms provided by their API Management solutions. In most cases, the result has been far from satisfactory: the WAFs configuration ended up being very complex to put in place, triggered many false positives, and forced customers to fall back to generic rules that just caught the obvious issues (like injections).

As noted in the Gartner’s Hype Cycle for Application Security, 2019:

“Leading cloud WAF vendors are adding features, moving closer to a more comprehensive web application and API protection (WAAP) solutions. However, API protection continues to be very basic, sometimes limited to applying the same signatures rather than for protecting more traditional web applications.”

The report then adds:

“Mobile applications and the growing number of publicly exposed APIs create new development opportunities for WAFs. Gartner observes, though, that innovation continues to happen mostly outside of the traditional WAF vendor landscape.”

Indeed, we feel protecting APIs needs a new approach. As the OWASP Top 10 for API Security document highlights, API threats are a superset of Web application threats. While injection-based issues are common to both types of traffic, APIs suffer from critical issues related to resources access and data access or exfiltration.

An example would be a vulnerability where the first problem is that the API returns all the resource information as a JSON object, relying on the client application to filter the information at the UI level. This call now exposes critical information, easily accessible via a web proxy. This problem can be further exploited if the API also allows to update the information via a “hidden” POST call, allowing a hacker to credit their user account without ever making a payment.

Protecting yourself from such attacks implies limiting requests and responses to the ones exposed by the API contract. You cannot create generic denylist rules for this. You need to rely on a positive data model whereby the API firewall knows what is allowed or not via the contract and can also validate who the user is (their role for example) before allowing access to a resource.

To address such a need, our auditing service ensures the quality of your API contract, while our API firewall automatically enforces what the API contract specifies.

But tools are not enough: in order for API security to work, it needs to be fully part of the API lifecycle. We will detail in an upcoming blog why a DevSecOps approach is critical to API security!

 

Try our security audit for free. If you want to see the whole platform in action, request a demo now!

For news on all things API – visit APIsecurity.io and sign up for the weekly newsletter.

Latest Resources

WEBINAR

Webinar Series - Defending APIs with Jim Manico

Defending APIs with Jim Manico – Episode 1

Episode 1: Request Forgery on the Web – CSRF & SSRF

November 10, 2022 | 9am PST | 5pm BST

Join Jim Manico, CEO of Manicode and Colin Domoney from 42Crunch, as they deliver a 2-part webinar series to help developers better defend APIs.

NEWS

42Crunch Announce OWASP Membership

42Crunch becomes a member of OWASP to Advance API Security 

By Newsdesk | November 14, 2022

November 14, 2022, San Francisco, CA –  42Crunch is pleased to announce our corporate membership of the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software. At 42Crunch we have always been inspired by OWASP’s role as an enabler […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.