Fast forward 20 years and all applications are now based on APIs. What does that imply for WAFs? Nothing good.<\/p>\n
In an article from Dark Reading<\/a> dated July 2020, Ericka Chickowski mentioned that “organizations are particularly struggling as their current WAF deployments are unable to handle a broader range of application attacks, particularly client-side attacks, API-based attacks, and bot-driven attacks.”.<\/p>\n APIs have totally changed our applications architectures, pushing business logic on the client side and removing the controller layer<\/a>. Furthermore:<\/p>\n The OWASP API Security Top 10<\/a>\u00a0illustrates the emergence of those new threats: data leakage, mass assignment, BOLA (broken resource access) – All data related.<\/p>\n <\/p>\n So what is the promise of AI? You can continue to work the way you were working in the golden era of WAFs:<\/p>\n AI solutions look at the production traffic and detect automatically abnormal behaviors. The promise is that you will be relieved of the burden to manage all those rules manually. Instead the AI engine refines its behavior over time, after<\/span><\/strong> being trained<\/span><\/strong> to recognize your<\/span><\/strong> API traffic.<\/p>\n So basically, we got smarter at guessing what the API traffic could be and even more, we now have tools helping us rebuild the controller layer checks that should never have disappeared from our applications to start with. In fact, we are now in a worse place: we build 1000’s of APIs at a staggering speed, don’t worry much about how they will be used and by who, and cross our fingers that a super smart engine is going to filter out the proper traffic from potential threats.<\/p>\n <\/p>\n With the 42Crunch platform, we take a completely different approach: we help enterprises engrain security in the API lifecycle as early as design time. To achieve this:<\/p>\n Our platform leverages a de-facto industry standard for APIs, OpenAPI (aka Swagger)<\/a>. We built tools which integrate in the developer’s IDE and CI\/CD pipelines to audit and test their API contracts and created a firewall that can be configured in one-click from the OpenAPI definition.<\/p>\n Security teams need developers’ help to understand and secure APIs. Developers cannot use the traditional tools security teams are using, they were not built for them. So how do we bridge that gap? By adding developer-friendly, security oriented tools to the developer’s tool-belt, for example our Visual Studio Code plugin<\/a> which just reached over 100,000 users! Our Audit is integrated into the OpenAPI editor, giving developers instant visibility into the potential security gaps in their APIs and how to address them.<\/p>\n Security teams are the guardians of the enterprise: it is their responsibility to ensure that the enterprise assets are duly protected and as such they must enforce some rules, rules such as mandatory OAuth usage, systematic validation of parameters against specific patterns, hardening of JSON schemas or JWT validation<\/a>. Rather than discovering potential deviations via lengthy, manual testing when the APIs are ready for production, they can enforce those rules automatically at design and testing time.<\/p>\n More importantly, those rules can be enforced at scale across hundreds or thousands of APIs through automation via CI\/CD plugins or our REST API.<\/p>\n Once the API contract is defined, hardened and compliant to the requirements of the security teams, we can in one-click enforce protection. No need to learn, no need to train, no statistics to evaluate. If you declared a field accountID as a UUID, that’s what we will accept, and nothing else. We will stop anything unwanted on the first attempt<\/span><\/strong>, no need for runtime training, as all potential discrepancies were handled at development and testing time.<\/p>\n A positive security model also means:<\/p>\n <\/p>\n We at 42Crunch have nothing against AI, far from it. But fundamentally, we believe that leveraging the developer’s knowledge and detecting potential issues early is much more reliable, cost effective and efficient than trying to guess which API traffic is valid after production. OpenAPI is supported by every API management solution on the market, and hundreds of tools are at your disposal to create, test, mock APIs thanks to OpenAPI.<\/p>\n So, let’s start by covering the basics: document our APIs and in the process, be ready to automatically protect them from potential threats.<\/p>\n Contact us now for a free API Security Audit and Platform demo<\/a><\/strong>. Check out all our free IDE and CI\/CD plugins<\/a><\/strong> to help you start securing your APIs today!<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Why do we need different solutions for API Threat protection? APIs are becoming a hot target for hackers. Analysts and cyber security specialists agree that the privileged position of APIs as the open doors to the enterprise kingdom make them a favorite to breach. For the past 20 years, Web Application Firewalls (WAFs ) have […]<\/p>\n","protected":false},"author":11,"featured_media":11340,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"APIs need different security solutions than WAFs ","_seopress_titles_desc":"Why enterprises need to engrain security in the API lifecycle rather than trying to guess which API traffic is valid after production.\r\n","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[14,25],"class_list":["post-9693","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security","tag-api-testing"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/9693"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=9693"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/9693\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11340"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=9693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=9693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=9693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Why are APIs different?<\/h4>\n
\n
![\"\"](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2020\/10\/get-api-diagram-42crunch.jpg\")
<\/p>\nThe promise of AI<\/h2>\n
\n
The power of knowing<\/h2>\n
\n
Leveraging developers knowledge<\/h4>\n
Putting APIs under control<\/h4>\n
Blocking unwanted traffic automatically<\/h4>\n
\n
![\"\"](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2020\/10\/infinity-devsecops-42crunch.jpg\")
<\/p>\nIt’s not about technology, it’s about philosophy<\/h2>\n
42Crunch Platform and Free Tools<\/h4>\n