Coming from a security vendor with WAF/WAAP components in their security portfolio, I often asked myself why there was even an API security niche in cybersecurity. Could the WAFs and API gateways we have today do that job? I used to believe that first-generation WAFs/WaaPs and API gateways could secure APIs, but after working with customers, I realized they have inherent deficiencies.

To ensure API security, relying solely on WAFs and API Gateways is not enough. These solutions use fixed parameters like signatures and IP addresses to filter malicious requests, but can still be bypassed by dynamic IP addresses or spoofing techniques that are common in today’s automated attacks. In addition, they lack the granular security controls and visibility required to detect sophisticated threats that exploit business logic flaws even on well-designed APIs.

When it comes to API security, relying solely on web application firewalls (WAFs) and API gateways can fall short due to their limitations:

• Web Application Firewalls (WAFs): While WAFs were initially designed to meet PCI compliance requirements and detect known vulnerabilities, they struggle to identify and block sophisticated attacks that may appear legitimate. They lack the necessary capabilities for comprehensive API security, including visibility, inventory tracking, risk assessment, Compliance monitoring, effective threat detection, and advanced mitigation options.

• API Gateways: API gateways are used for managing APIs and have basic security features like access control, rate limiting, and IP blocking. They can only manage APIs that have been registered manually by developers, which makes them reactive in nature. API gateways do not have the capability to discover undocumented APIs that require management or to carry out risk analysis, threat detection, remediation, or mitigation on their own.

To protect APIs from advanced cyber threats, enterprises require a thorough security approach that surpasses perimeter security solutions like WAFs and API gateways. They need specific API security solutions that provide in-depth visibility and control throughout the API lifecycle. These solutions offer a range of features and capabilities to address all stages of API security. These specialized solutions can co-exist and augment existing API Gateway and Management solutions while displacing first-generation L4-7 WAFs deployed to protect them.

To ensure effective API security in 2023, organizations should focus on three core principles as described perfectly by Cequence Security (my employer! :-D )

1. API Discovery and Inventory: Many organizations overlook the extent of their API landscape, leading to a mix of managed, unmanaged, shadow, third-party, and internal APIs that are challenging to identify. Comprehensive API discovery and inventory encompassing external and internal views are crucial to visibility and protection.
2. API Risk Analysis and Threat Detection: API risks arise from coding errors that can be exploited if left unaddressed. Runtime API analysis helps identify APIs without specifications or those not conforming to existing ones, enabling proactive development fixes. Threat detection focuses on identifying vulnerabilities in pre-production and detecting business logic attacks, even on well-coded APIs.
3. API Risk Remediation and Threat Prevention: Prompt remediation of identified risks and threats is vital for API security. Development teams should be promptly notified of detected risks, and continuous analysis and testing should track API fixes. Real-time threat mitigation responses, such as blocking, rate limiting, deception, and geo-fencing, should be implemented without relying on external infrastructure like a web application firewall (WAF), minimizing the impact of attacks.

By following these principles, organizations can establish a robust API security framework, enabling comprehensive protection and proactive risk management. This is critical for many organizations, as APIs are the “front door” to their applications and “direct conduit” to your data. They must ensure their security posture is up-to-date and published and unpublished (shadow and discovered) APIs are constantly monitored.

In a nutshell, first-generation WAFs and API gateways are not effective in protecting against constantly evolving threats, as they may only be capable of detecting some malicious activity and basic mitigation approaches. These security measures may not be well-equipped to defend against business logic flaws in APIs, apply precise mitigation policies without blocking valid traffic, or handle the dynamic nature of automated attacks. To ensure proper API security, it’s necessary to implement multiple layers of protection, including API security-focused solutions that complement API management.