Attacks in the cloud are on the rise, with The State of Cloud Native Security 2024 report revealing 64% of organisations reported an increase in data breaches over the past year. It found the top concerns when it came to cloud security were over AI threats both in terms of code poisoning and assaults, and the risks associated with unmanaged, unsecured or third-party Application Programming Interfaces (APIs).
APIs are an essential component in transferring data between cloud services and web applications and link these together, making them a prime target for attackers. Where web application security is concerned with protecting the front end, API security is focused on the mechanisms that retrieve the data servicing the application and this means it can be attacked to leverage access to sensitive data. But determining how you should protect your APIs is still an issue many are grappling with. In fact, the survey found 88% struggle to identify the security tools they need.
Will my WAF work?
Part of this confusion lies in the way in which security solutions have evolved. Given that APIs were essentially seen as an extension of the application, the consensus was that they could be protected using Web Application Firewalls (WAFs). However, unlike web applications which are vulnerable to things like SQL injection or cross site scripting (XSS) attacks, API attacks are not syntactic in nature. Indeed, they can still be attacked even when conforming to their set specifications, so using signature-based detection methods are not effective in detecting abuse.
Attackers have also since learnt to neatly sidestep such protection measures by rotating through tactics, techniques and procedures (TTPs). For examples, they might switch rapidly from one IP address to another. Other times they resort to overloading the WAF with thousands of IP addresses, effectively bricking it, which is why WAFs are so poor at blocking automated i.e. bot driven attacks.
The defence capabilities of API Gateways were likewise oversold. These are predominantly aimed at developers looking to push out and manage their APIs so cover the design, build, test and release phases with basic security protection such as SSL built in. They centralise operations and can rate limit or throttle traffic but have limitations int terms of detecting attacks that are not volumetric in nature. Therefore, while both WAFs can do the initial filtering and API Gateways detect surges in traffic, they are not designed to detect anomalous behaviour or lateral movement, which is where API protection comes in. It can take an inventory, define governance and block and tackle as needed.
Cloud WAAP
It’s for these reasons that we saw the emergence of what Gartner calls Web Application and API Protection or WAAP which essentially combines the abilities of the next generation WAF with DDoS protection, API security and bot mitigation. WAAP sees these amalgamated to provide a more comprehensive form of protection using solutions that directly complement one another and Cloud WAAP is now gaining ground, with more CSPs looking to offer it.
In its latest report, the Market Guide for Cloud Web Application and API Protection (Nov 2023), Gartner makes the point that while the market is steadily growing, it still faces some challenges in the form of alert fatigue from WAFs and sophisticated bot attacks. Key to solving the former are AI and machine learning that can correlate and qualify events for investigation while in terms of the latter, bot mitigation requires more advanced threat hunting and the use of deceptive techniques designed to exhaust the attacker’s resources.
Interestingly, the report insinuates that while traditional (ie on premise) WAAP is being superseded by its equivalent in the Cloud, the API security sector has come around the outside to become something of a contender by offering discovery, threat detection and response capabilities. It even suggests that some organisations may prefer a standalone solution over a WAAP service to focus security efforts and reduce overheads, effectively creating their own version.
API security in action
For example, a large enterprise that rapidly expanded and acquired a number of its competitors sought to address its API attack surface. The company’s applications were distributed across multiple cloud providers so they needed to ascertain how many API’s they had, where they were located, if they were conforming to security best practices and which API’s were exposing sensitive data. This included looking at whether those APIs even needed to expose that data, as many APIs are configured to do so unnecessarily.
In addition to addressing API posture management, the business also needed to be able to detect advanced business logic abuse or data exfiltration attacks over those APIs. Deploying an API security solution across multiple cloud environments as well as their traditional data centres allowed the security team to holistically look at the entire API attack surface, supplementing the information they already had from an API gateway perspective as well as from a WAF perspective.
Given that standalone API solutions are also available with bot mitigation, thereby dealing with the problem of automated and DDoS attacks which usually follow the discovery of a compromisable API, it will be interesting to see how the market plays out. Gartner is predicting we will inevitably see some convergence in the market as a result. In fact, we’ve already seen API vendors being snapped up this year, such as in the case of Fib acquiring Wib and Akamai announcing its intention to acquire NoName, revealing that WAAP providers are keen to incorporate the advanced capabilities of standalone API offerings.
For now, however, those looking to address their APIs with a cloud offering need to look at the nuances of their current set-up to determine if they need to plumb for a WAAP service or if they can use an API and bot management solution. It will very much depend on the solutions the business already has, the attack surface it is looking to manage and what it is trying to achieve. What’s important is that it doesn’t continue to try to use a square peg in a round hole and does attend to the very specific challenges of API security.
Andy Mills is VP of EMEA for Cequence Security and assists organisations with their API protection strategies, from discovery to detection and mitigation. He’s a passionate advocate of the need to secure the entire API lifecycle using a unified approach. Prior to joining Cequence, he held roles as CRO for a major tax technology provider and was part of the original worldwide team of pioneers that brought Palo Alto Networks, the industry’s leading Next-Generation Firewall, to market. Andy holds a Bachelor of Science Degree in Electrical and Electronic Engineering from Leeds Beckett University.