Get a free application, infrastructure and malware scan report - Scan Your Website Now

Industry’s First Comprehensive Risk-Based API Security

Posted DateMay 17, 2022
Posted Time 4   min Read

Blog Series 2 out of 2.

In the last blog, we discussed the importance of API protection, why API Gateways are not enough, and why there is a need for comprehensive API security. In this blog, we will look at how Indusface is revolutionizing the industry with its new release AppTrana API Protection.

AppTrana is known for its risk-based fully managed application security. The risk-based approach combined with its drive to make application security as easy as possible has propelled customer adoption with AppTrana being rated as the customers’ choice in all the segments of Gartner’s Voice of Customer Report 2022.

In the quest to extend similar service to APIs, Indusface has released its new module API Protection in AppTrana. With this, customers will get:

  • To understand the risk posture of the APIs through unlimited automated API scans including manual tests for identifying business logic vulnerabilities
  • To protect APIs with API-specific rules written to protect against OWASP Top 10 API vulnerabilities
  • Behavioral-based protection against DDoS attacks on APIs by analyzing API traffic patterns
  • Behavioral-based protection against BOT attacks
  • Positive security for APIs through analysis of swagger (OpenAPI 2.0) files and creation of automated positive security policies
  • Visibility into API traffic patterns and discovery of shadow APIs
  • Accurate and real-time view of the vulnerabilities blocked by API-specific rules, positive security policies, custom rules, and those that need fixes in the application

Collectively through a multi-step approach, even the most sophisticated attacks on APIs are protected by AppTrana without any business impact.

Under the Hood:

Let’s look into how we came up with this solution.

Risk-based Approach

To start with, we were adamant to extend our risk-based approach for application security to API security. At Indusface, we believe security is as good as its weakest link and it is not possible to provide comprehensive protection without understanding the risk posture to start with. But the challenge with APIs is that it is not easy to automate scanning. The biggest challenges are – how do you identify the APIs that need to be scanned and how to craft the API requests?

In the case of web applications, it is more straightforward, where you could crawl the applications, simulate actions, generate requests, and fudge those requests to identify the vulnerabilities. But the same cannot be extended to APIs. There is no one place that one can go to find the list of APIs.  Therefore, we looked at alternatives and after talking to many of our customers and also getting inputs from our security experts, we narrowed it down to using postman files.

Postman is a common tool used for API development & testing. This has become the gold standard and is widely used across organisations. So, we decided to develop our API scanning around postman files. When a customer onboards their API host for protection behind AppTrana, they will be asked to provide these 2 files:

  1. Postman files
  2. Swagger files (OpenAPI 2.0 files)

With Postman files, AppTrana will be able to understand the customer APIs to be scanned along with the details about the parameters, values, common, dynamic values used in multiple APIs (postman variables), sequence in which APIs should be called and the dependencies between APIs.

Postman files are generally used for the testing of APIs in the development cycle, so, generally, they will be have these information. In order to further enrich the postman files, before the scan is started, our security experts will look at these postman files and add additional insights that will help our scanner to scan the APIs better. Once the scan is complete, our team will manually verify the results to remove any false positive results, and publish the results for the customer, providing a comprehensive risk posture of the APIs.

API Protection

API protection starts immediately once the customer onboards their API host behind AppTrana and routes their traffic through AppTrana. AppTrana’s API protection module has API-specific policies that help protect against the OWASP Top 10 API threats. These policies are enabled by default and are fine-tuned for false positives by our security experts.

But we don’t stop there, we felt that as a part of threat detection, we should do more, given we have information about APIs. So, when the customer uploads the Swagger files (OpenAPI 2.0 files), we use them to create positive security policies for the configured APIs. These policies are automatically created and applied to the sites. Customers can look at these policies which enforce schema and input validation depending on the information given in the swagger files and decide if they want to continue the enforcement of these policies. This ensures we craft the protection around the APIs’ specification and block any requests outside the known specification. Thus, reducing the attack surface of the API significantly.

In order to further strengthen the API Protection, AppTrana’s API Protection module also has behaviour-based DDoS protection for APIs where customers can fine-tune their policies for each API based on the attacks’ behaviour, so that any abnormal patterns are immediately identified and blocked.

AppTrana’s API Protection will also soon be enriched with API-specific bot modules that will ensure bots trying to access the APIs are identified and classified into good vs suspicious bots and suspicious bots are then blocked based on the risk appetite of customers.

Visibility APIs Risk Posture and Protection

The biggest advantage that AppTrana’s API protection provides to their customer is the visibility into the APIs’ risk posture and protection. AppTrana provides comprehensive visibility into the risk posture, vulnerabilities found, and transparent information around if those vulnerabilities are protected by AppTrana’s API-specific policies, positive policies or custom rules written specific to the application need.

Not just that, it also provides a real-time view of how the policies are working with respect to real traffic, with visibilities into the blocks made by various policies. This ensures customers can quickly understand how effective the API protection has been and what additional actions they can take.

Shadow APIs

Since we have the visibility into API definitions known to the customer and also all the API requests coming to the API host, we are able to quickly track if all the API requests are for APIs that are part of the definition shared or not, then, they are tagged as shadow APIs and bought to the attention of the customer so that the customer can start taking further security actions, either by updating the definition so that security policies apply for them or by choosing to block these shadow APIs.

With the combination of Risk detection, API Threat detection, API Positive Security policies, API-Specific DDoS policies, API-Specific Bot modules, and API Discovery, AppTrana’s API protection is the most comprehensive solution till date.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Best Application Security Service Provider

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Best Practices to Secure NodeJS API
11 Best Practices to Secure your Nodejs API

Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security solutions. Validate inputs and logs.

Read More
Effective ways to securing APIs
API Security: Authorization, Rate Limiting, and Twelve Ways to Protect APIs

41% of organizations suffered an API security incident. Here are 12 methods that you need to incorporate in order to secure and protect APIs.

Read More
API Security Checklist
API Security Checklist: The Top 7 Requirements

API (Application Programming Interface) is emerging as one of the prominent attack vectors. While API calls volume increased by 321% last year, malicious API traffic grew by 681%! Several organizations have.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!