Thursday, 20 August 2020 19:25

How to Keep APIs secure from bot attacks

By
Yaniv Hoffman, Vice President Technologies, Radware Yaniv Hoffman, Vice President Technologies, Radware

GUEST OPINION by Yaniv Hoffman, Vice President Technologies, Radware: The widespread adoption of mobile IoT devices, emerging ‘serverless’ architectures hosted in public clouds, and the growing dependency on machine-to-machine communication, are reasons to make changes to modern application architectures.

Application programming interfaces (APIs) have emerged as the bridge to facilitate communication between different application architectures. APIs allow for quicker integration and faster deployment of new services.

In addition, DevOps requires end-to-end process automation that leverages APIs for service provisioning, platform management and continuous deployment.

Despite rapid and widespread deployment, APIs remain poorly protected and automated threats are mounting. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks.

Symptoms of Bot Attacks on APIs are:

  • Single HTTP request (from a unique browser, session or a device)
  • An increase in the rate of errors (e.g., HTTP status code 404, data validation failures, authorisation failures, etc.)
  • Extremely high application usage from a single IP address or API token
  • A sudden uptick in API usage from large, distributed IP addresses
  • A high ratio of GET/POST to HEAD requests for a user/session/IP address/API token compared to legitimate users.

Key API vulnerabilities and automated attacks

Authentication flaws and account takeover. Many APIs do not check authentication status when the request comes from a genuine user. Attackers exploit such flaws in different ways, such as session hijacking and account aggregation, to imitate genuine API calls.

Attackers also reverse engineer mobile applications to discover how APIs are invoked. If API keys are embedded into the application, an API breach may occur. API keys should not be used for user authentication. Cyber criminals also perform credential stuffing attacks to takeover user accounts.

Lack of robust encryption. Many APIs lack robust encryption between the API client and server. Attackers exploit vulnerabilities through man-in-the-middle attacks. Attackers intercept unencrypted or poorly protected API transactions to steal sensitive information or alter transaction data.

Also, the ubiquitous use of mobile devices, cloud systems and microservice patterns further complicate API security because multiple gateways are now involved in facilitating interoperability among diverse web applications. The encryption of data flowing through all these channels is paramount.

Business logic vulnerability. APIs are vulnerable to business logic abuse. This is exactly why a dedicated bot management solution is required and why applying detection heuristics that are good for both web and mobile apps can generate many errors — false positives and false negatives.

Poor endpoint security. Most IoT devices and microservice tools are programmed to communicate with the server via API channels. These devices authenticate themselves on API servers using client certificates. Hackers attempt to gain control over an API from the IoT endpoint, and if they succeed, they can easily re-sequence the API order, thereby resulting in a data breach.

An API security checklist

The following top 9 best practices are a must for protecting API infrastructures against hacking and abuses:

  • Monitor and manage API calls coming from automated scripts (bots)
  • Drop primitive authentication
  • Implement measures to prevent API access by sophisticated human-like bots
  • Robust encryption is critical
  • Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions and tokens
  • Comprehensive logging of requests and responses
  • Scan the incoming requests for malicious intent
  • Supporting clustered API implementation to handle fault tolerance
  • Track usage and journey of API calls to find anomalies.

For more information.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments