Search the Community

The perceptions of the API security market have really shifted since we started Impart Security three years ago. When we first started Impart, API security was a new market; there were many different opinions about what API security was, how to approach the problem, and what good API security looked like. I remember back in 2020, although most security teams I spoke with thought of API security as a critical part of their security program, those same teams also had very different views of what specific problems and urgent pain points needed to be addressed. In this post I’ll unpack the current state of the API security market, where it’s going, and how security teams should be implementing it with API-first runtime protection. The post Is API Security Just a Better WAF? | Impart Security appeared first on Security Boulevard. View the full article

Cequence Security is thrilled to announce our participation at this year’s RSA Conference, Booth 2033, where we’ll showcase our innovative bot management and API security solutions. The RSA Conference, a global summit for security innovators, returns to San Francisco’s Moscone Center from May 6-9. This event is a melting pot for those looking to exchange […] The post Join Cequence Security at RSA Conference 2024: Protect What Connects You with Advanced API Security Solutions appeared first on Cequence Security. The post Join Cequence Security at RSA Conference 2024: Protect What Connects You with Advanced API Security Solutions appeared first on Security Boulevard. View the full article

Salt Security claims Pepper can decrease the time it takes to surface actionable security-related information by as much as 91% . The post Salt Security Applies Generative AI to API Security appeared first on Security Boulevard. View the full article

In short, API security testing involves the systematic assessment of APIs to identify vulnerabilities, coding errors, and other weaknesses that could be exploited by malicious actors. Application Programming Interfaces, or APIs, provide much of the communication layer between applications that house an organization’s critical customer and company information, and API security testing is essential to […] The post What is API Security Testing? appeared first on Cequence Security. The post What is API Security Testing? appeared first on Security Boulevard. View the full article

The internet that we use today is a massive network of interconnected devices and services. Application Programming Interfaces (APIs) are an essential but sometimes invisible technology layer that underpins services ranging from social media to online banking. APIs serve as messengers between apps, allowing them to communicate data and functionality seamlessly, making API security a […] The post 71% Website Vulnerable: API Security Becomes Prime Target for Hackers appeared first on Kratikal Blogs. The post 71% Website Vulnerable: API Security Becomes Prime Target for Hackers appeared first on Security Boulevard. View the full article

A free version of Graylog's API security platform is intended to encourage developers to adopt best practices to secure APIs.View the full article

APIs provide direct access to application functionality and data, making them a powerful developer tool. Unfortunately, that also makes them a favorite target for threat actors. Proactively identifying API security threats is top of mind for 60% of IT leaders according to Google Cloud’s 2022 API Security Research Report. Most of the current approaches to securing APIs focus on detecting security vulnerabilities, but rapidly reacting and responding to API security issues once they are detected is just as important in maintaining a strong application security posture. This is where Advanced API Security for Apigee API Management can help. It’s an add-on that automatically detects misconfigurations, malicious bot attacks, and critical abuses, and today, we're excited to announce the public preview of two new Advanced API Security capabilities: Alerts are notifications that inform you about security threats or anomalies as soon as they are detected.Actions are automated operations, triggered in response to security threats or anomalies, based on predefined conditions.Actions and Alerts enhance Advanced API Security capabilities by reducing the time between threat detection and resolution through automation, minimizing the potential impact, and making your API security approach more proactive. Actions in Advanced API SecurityActions automate operations including allowing, denying, flagging, and redirecting API traffic from specific clients. You can choose to specify these clients manually or rely on built-in detection rules in Advanced API Security. These detection rules identify known API threats or patterns detected by our machine learning models pinpointing malicious activities, such as API scraping or anomalies. To stop API attacks, developers often need to manually exclude specific IP addresses via their Web Application Firewalls (WAF) or through implementing policies — a process requiring a full development cycle for each change. Worse, these processes are often ineffective against adaptive attacks that constantly change IP addresses. But now, with Actions, developers can automatically defend against malicious traffic. How does it work?Before your API proxies process traffic, you can choose to apply the following actions: Flag requests by adding up to five headers in the request sent to an API proxy, allowing you to precisely define the behavior of the traffic inside the proxy. For example, you may not want to intercept suspicious traffic, but rather track and observe it for further analysis.Deny requests that meet certain conditions, such as originating from a scraping activity. You can even customize the response code that is sent back to the client. For example, you can deny traffic from specific clients previously isolated and identified as suspicious.Allow requests by overriding any traffic that would otherwise be blocked by a deny action. For example, you can allow traffic from specific clients even if they are captured in a detection rule associated with a deny action.Creating an Action in Advanced API Security You also have the option to pause all active security actions, ensuring uninterrupted API requests. You might want this capability as a failover mechanism or allow all traffic in a few controlled scenarios. You can further refine the security measures by analyzing API traffic data associated with specific actions. Analyzing API traffic data associated with actions Alerts in Advanced API SecurityAlerts inform relevant stakeholders when a potential security incident or anomaly is identified. With our new Alerts capability, you are notified of any unusual API traffic (as identified by the detection rules) or of any changes to your security scores. Today, users have to constantly monitor their security scores or dashboards to identify new attacks. Now with Advanced API Security, you can configure an Alert to send notifications by text, email, or other channels upon detection of unusual traffic. How does it work?You can use Cloud Monitoring to set up the alerts to be notified about potential security incidents or even customize how you receive these alerts, be it through text, email, or other channels. For instance, if there's a sudden spike in suspicious requests from a particular region, you can set up an alert to be notified immediately. This alert ensures that you're always in the loop and can take swift action. Next stepsMinimizing the time it takes to detect and mitigate an API security threat is one of the most important ways to minimize negative business impacts. Advanced API Security shifts most of that burden to the platform, allowing developers to minimize overhead while maintaining precise control. Advanced API Security is offered as an add-on to Apigee API Management. Check out our technical documentation to learn more about these new capabilities or explore them hands-on by getting started with Apigee.

Noname Security today made generally available an update to a tool for testing application programming interface (API) security that promises to make it easier for DevOps teams to ensure APIs are secure. Filip Verloy, a field CTO for Noname Security, said Active Testing V2 is purposely designed to make it simpler to integrate API testing […]View the full article

Savvy leaders at organizations around the world know that digital transformations can create a virtuous flywheel of more and faster innovation, driven by the power of software integration. APIs can facilitate the necessary software integration and communication, and that requires serious consideration of the organization’s API security posture to better protect its data and digital systems. The proliferation of APIs has led to expanded attack surfaces and greater inherent risk. A quick scan of the digital landscape shows that traffic generated by APIs now dominates the internet. Google Cloud’s Apigee reports that for their customers alone, API traffic increased 46% between 2019 and 2020. At the same time, Google Cloud’s 2022 report on API security insights and trends notes that more than 50% of organizations faced an API-related security threat at least once in 2021, confirming that APIs have become a favorite target for threat actors. This month, we identified five categories of API attacks in a new report, “The Importance of API Security,” that takes a deeper look at how to build better API security systems. These threats include: Data scraping Denial of service (DoS) Injections or malware Account takeover (ATO) Scalping and bots While DoS, injections, and ATO are well-known attacks that came to the API world from web applications, abuse and bots are unique threats for APIs that are by their nature different from security issues. Security leaders should be concerned with how prepared their organizations are for API security threats. The current state of API security strategy Our 2022 report on API security insights and trends found that most organizations don’t have a robust API security strategy in place, and that 60% say that their API strategy needs improvement. Organizations face two primary impediments when establishing and maturing their API security capabilities: A lack of resources, and a lack of experience. Even leaders who are committed to securing APIs may end up deploying fragmented solutions across their organization, which could inadvertently create a false sense of security. So what’s the best way forward when it comes to protecting APIs? Taking a defense-in-depth approach We believe that layering API defense mechanisms that support each other but are otherwise independent is an effective way to stop adversaries. Along with our additional insights into a rapidly-changing API threat landscape in our “Importance of API Security” report, we also provide recommendations on launching an API-first security strategy that builds on four pillars: Essential API security controls and protections enforced for all APIs through a common API management platform, creating a no-exception approach that leaves no space for uncontrolled API exposure Protection against DDoS and exploits with an adaptive cloud protection suite that includes a WAF, machine-learning-based DDoS protection, and a threat intelligence capability Anti-bot protection to keep APIs and exposed resources safe from fraudulent activity, spam, and abuse Adherence to safe API coding principles to prevent the most common classes of security issues upfront You can read the report here, and reach out to the Google Cybersecurity Action Team to learn more. aside_block [StructValue([(u'title', u'EP62 Protect Modern Applications in the Cloud: Union of API and Application Security'), (u'body', <wagtail.wagtailcore.rich_text.RichText object at 0x3e942536fbd0>), (u'btn_text', u'Listen now'), (u'href', u'https://cloud.withgoogle.com/cloudsecurity/podcast/ep62-protect-modern-applications-in-the-cloud-union-of-apis-and-application-security/'), (u'image', None)])]

Organizations in every region and industry are developing APIs to enable easier and more standardized delivery of services and data for digital experiences. This increasing shift to digital experiences has grown API usage and traffic volumes. However, as malicious API attacks also have grown, API security has become an important battleground over business risk. To help customers more easily address their growing API security needs, Google Cloud is announcing today the Preview of Advanced API Security, a comprehensive set of API security capabilities built on Apigee, our API management platform. Advanced API Security enables organizations to more easily detect security threats. Here’s a closer look at the two key functionality included in this launch: identifying API misconfigurations and detecting bots. Identify API misconfigurations Misconfigured APIs are one of the leading reasons for API security incidents. In 2017, Gartner® predicted that by 2022 API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. Today, our customers tell us application API security is one of their top concerns, which is supported by an independent study from 2021 by Fugue and Sonatype. The report found that misconfigurations are the number one cause of data breaches, and that “too many cloud APIs and interfaces to adequately govern” are frequently the main point of attack in cyberattacks. While identifying and resolving API misconfigurations is a top priority for many organizations, the configuration management process can be time consuming and require considerable resources. Advanced API Security can make it easier for API teams to identify API proxies that do not conform to security standards. To help identify APIs that are misconfigured or experiencing abuse, Advanced API Security regularly assesses managed APIs and provides API teams with a recommended action when configuration issues are detected. Advanced API Security identifies misconfigured API proxies, including the missing CORS policy. APIs form an integral part of the digital connective tissue that make modern medicine run smoothly for patients and healthcare staff. One common healthcare API use case occurs when a healthcare organization inputs a patient's medical coverage information into a system that works with insurance companies. Almost instantly, that system determines the patient's coverage for a specific medication or procedure, a process which is enabled by APIs. Because of the often-sensitive personal healthcare data being transmitted, it is important that the required authentication and authorization policies are implemented so that only authorized users, such as an insurance company, can access the API. Advanced API Security can detect if those required policies have not been applied, an alert which can help reduce the surface area of API security risks. By leveraging Advanced API Security, API teams at healthcare organizations can more easily detect misconfiguration issues and can reduce security risks to sensitive information. Detect Bots Because of the increasing volume of API traffic, there is also an increase in cybercrime in the form of API bot attacks—the automated software programs deployed over the Internet for malicious purposes like identity theft. Advanced API Security uses pre-configured rules to help provide API teams an easier way to identify malicious bots within API traffic. Each rule represents a different type of unusual traffic from a single IP address. If an API traffic pattern meets any of the rules, Advanced API Security reports it as a bot. Additionally, Advanced API Security can speed up the process of identifying data breaches by identifying bots that successfully resulted in the HTTP 200 OK success status response code. Advanced API Security helps visualize Bot traffic per API proxy. Financial services APIs are frequently the target of malicious bot attacks due to the high-value data that is processed. A bank that has adopted open banking standards by making APIs accessible to customers and partners can use Advanced API Security to make it easier to analyze traffic patterns and identify the sources of malicious traffic. You may experience this when your bank allows you to access your data with a third-party application. While a malicious hacker could try to use a bot to access this information, Advanced API Security can help the bank’s API team to identify and stop malicious bot activity in API traffic. API Security at Equinix Equinix powers the world’s digital leaders, bringing together and interconnecting infrastructure to fast-track digital advantage. Operating a global network of more than 240 data centers with a 99.999% or greater uptime, Equinix simplifies global interconnections for organizations, saving customers time and effort with the Apigee API management platform. “A key enabler of our success is Google’s Apigee, delivering digital infrastructure services securely and quickly to our customers and partners,” said Yun Freund, senior vice president of Platform at Equinix. “Security is a key pillar to our API-first strategy and Apigee has been instrumental in enabling our customers to securely bridge the connections they need for their businesses to easily identify potential security risks and mitigate threats in a timely fashion. As our API traffic has grown, so has the amount of time and effort required to secure our APIs. Having a bundled solution in one managed platform gives us a differentiated high-performing solution.” Getting started To learn more, check out the documentation or contact us to request access to get started with Advanced API Security. To learn more about API security best practices, please register to attend our Cloud OnAir webcast on Thursday, July 28th, 2:00 pm PT. Gartner, API Security: What You Need to Do to Protect Your APIs, Mark O'Neill, Dionisio Zumerle, Jeremy D'Hoinne, 28 August 2019 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Related Article CISO Perspectives: June 2022 Google Cloud CISO Phil Venables shares his thoughts on the RSA Conference and the latest security updates from the Google Cybersecurity A... Read Article

Salt augments existing “shift left” features to provide more remediation insights earlier in the API lifecycle to help organizations better secure their API-driven applications Palo Alto, CA – May 12, 2021 – Salt Security, the leading API security company, today announced that it has updated its next-generation Salt Security API Protection Platform with additional “shift left” security […] The post Salt Security Enhances Developer Insights on Industry’s Only Full Lifecycle API Security Platform appeared first on DevOps.com. View the full article

DOWNLOAD the Free Report >> The post Application Security and API Security appeared first on DevOps.com. View the full article

DOWNLOAD the Free Report >> The post Big Compass Practical Guide to API Security appeared first on DevOps.com. View the full article

Do you follow the same procedures to secure a web application as you do an API? Is there a difference between the two? We’ve spoken about API security quite a bit in the past few months because we believe that there are critical differences between API security and traditional web application security. A lack of […] The post Web Application Security is not API Security appeared first on DevOps.com. View the full article

42Crunch has announced that the scanning tools it provides to enable DevOps teams to secure application programming interfaces (APIs) can now be deployed in on-premises IT deployments. Previously only available as a cloud service, the 42Crunch API Security Platform has also been updated to provide expanded support for the OpenAPI specification for REST interfaces defined […] The post 42Crunch API Security Platform Now Available On-Premises appeared first on DevOps.com. View the full article

API security Modern applications are mobile first and are built around cloud-native distributed microservices architectures. These architectures have become the basic building blocks for complex and reliable distributed web and mobile applications. Many of these distributed APIs expose the business logic directly over the web; hence the attack surface and attack vectors are very different […] The post TraceAI : Machine Learning Driven App and API Security appeared first on DevOps.com. View the full article

The report outlines where companies are falling short in protecting their APIs and statistics on security incidents experienced.View the full article

“APIs are nothing new,” said Secure Code Warrior co-founder and CTO Matias Madou, but they have recently become more widely used. And where they were once a local mechanism, they are increasingly used in a distributed manner, partly because of changes to application architectures. Another reason is that users are increasingly likely to access systems […] The post API Security by Design appeared first on DevOps.com. View the full article

Information security has become headline news on a daily basis. You have probably heard of security risks ranging from malicious bots used in schemes both big and small, to all-out "software supply chain attacks" that involve large-name enterprises and their customers, and that ultimately affect numerous governments, organizations, and people. As businesses expand their digital programs to serve their customers via online channels and to operate from anywhere with a global remote workforce, such security attacks are expected to become more common. Because application programming interfaces (APIs) are fundamental components of an enterprises’ digital programs, connecting the data and functionality that power various apps and services, they are also vectors of malicious attacks--as well as sources of insights that enterprises can use to better understand attack patterns and how to thwart them. Our State of the API Economy 2021report found a 172% rise in abusive traffic and a 230% increase in enterprises’ use of anomaly detection, bot protection, and security analytics features. As agile, smart, and proactive digital security mechanisms have become the cost of doing business, API security has become an indispensable part of an enterprise’s IT security portfolio--and as this article explores, our recent release of Apigee X makes API security even more powerful. Multi-layer API security with Apigee and Google Cloud Armor APIs are the doors to various digital assets--and every door needs a lock to keep what’s behind it safe and protected from unauthorized access. Therefore, to help organizations secure APIs to the highest level, Google Cloud has brought together Apigee and Cloud Armor, combining industry-leading API management and web application firewall technologies. With Apigee X, the latest release of Google Cloud’s full lifecycle API management platform, customers can easily and seamlessly apply Cloud Armor web application firewall (WAF) to APIs, adding another layer of security to ensure that corporate digital assets are accessed only by authorized users. For companies such as AccuWeather, a global leader in weather data and forecasting, APIs have been essential to both building new applications and monetizing data and functionality for outside developers, so those communities can innovate with AccuWeather assets as well. With this new expanded surface area from their APIs, AccuWeather needed robust security to manage and secure its digital assets. “Over the last decade, AccuWeather has continued to transform as a digital solution for serving business customers with the most accurate and useful weather information using APIs. With Apigee’s strategic partnership and comprehensive API management platform, we were able to design, develop, and launch our industry-leading APIs in a few short weeks.” said Chris Patti, Chief Technology Officer at AccuWeather. “Today, we serve over 50 billion API calls per day. As many organizations embrace their own digital solutions, they are increasingly adopting API-first strategies for accelerated transformation. With the new Apigee X release, we can foresee furthering our API programs with the best of Google capabilities like reCaptcha, Cloud Armor, and Content Delivery Network (CDN) for global scale, performance and security.” Apigee and Cloud Armor together help secure your APIs at multiple levels. Click to enlarge While Apigee X includes OAuth (Open Authorization), API keys, role-based access and many other API-level security features, Cloud Armor offers network and application security such as DDoS (Distributed Denial of Service) protection, geo-fencing, mitigation of OWASP (Open Web Application Security Project) Top 10 risks, and custom Layer-7 filtering. With Apigee X and Cloud Armor, developers enjoy integrated, out-of-the-box security capabilities to protect their APIs at multiple levels. Click to enlarge Customers can also easily leverage Cloud Identity and Access Management (IAM) for authenticating and authorizing access to the Apigee platform as well as to gain more control over encrypted data with customer-managed encryption keys (CMEK). Apigee X and Cloud Armor deliver powerful protection for applications and APIs against threats and fraud. These products are also available as part of our WebApp and API Protection (WAAP) solution that adds anti-bot and anti-abuse measures from reCAPTCHA Enterprise. Security is a moving target, with attackers and new vulnerabilities emerging all the time--but with a multi-layer approach to API security, enterprises can trust that they can quickly leverage APIs for new digital services and experiences without compromising security along the way. To learn more about Apigee X, and see Apigee and Cloud Armor in action, check out this video Related Article How leading enterprises use API analytics to make effective decisions Explore why API monitoring and analytics are essential to successful digital transformation initiatives Read Article