Secure Under Protected APIs - WP
Secure Under Protected APIs - WP
Under-Protected APIs
WHITE PA PE R
ÐÐ
Background ................................................................................................................................................. 3
ÐÐ
APIs in Modern Applications........................................................................................................................ 3
ÐÐ
Security Concerns of Distributed API Architecture...................................................................................... 4
ÐÐ
Designing a Secured API Environment........................................................................................................ 6
ÐÐ
References................................................................................................................................................... 7
Figure 1 - Distribution of API Protocols and Styles, based on directory of APIs listed at ProgrammableWeb, May 2016.
Publicly available APIs allow sharing of content and data openly between communities and applications.
ProgrammableWeb, one of the world’s leading information sources about Internet-based APIs, lists more than
17,444 APIs in its API Directory. This number has almost doubled during the past 4 years. Some outstanding
companies have built API businesses that match or exceed their original focus. For example, Salesforce
reportedly generates 50% of its revenues through APIs, eBay nearly 60% and Expedia a 90%.
ÐÐ
Mobile applications
ÐÐ
Applications for IoT devices
ÐÐ
Embedding public and 3rd party APIs as external services into an existing application (e.g. Google Maps APIs)
DevOp environments, with the ever-increasing demand for continuous delivery, requires complete process
automation utilizing APIs across the board:
ÐÐ
Service provisioning and management (e.g. AWS API)
ÐÐ
Platform management apps
ÐÐ
Continuous delivery process automation
In a FaaS architecture, the management of function containers is greater in complexity than just managing
lasting virtual machines. These function containers are created upon request and may disappear immediately
after being used. This approach simplifies the development process and reduces OPEX dramatically. It is
important to state that APIs are not tightly coupled with FaaS and are being widely used in other architectures
and with web applications.
“
API vulnerabilities are hard to monitor and do
not stand out. Traditional application security
assessment tools do not work well with APIs or
are simply irrelevant in this case. DAST (Dynamic
Application Security Testing) and application
scanning tools, for example, cannot invoke the
API because they cannot generate well-formed
Since many Application
requests. Even if the tool knew whether the request
body should be a JSON or an XML and even has a Programming Interfaces
schema for the API, it is still difficult to provide the
data required to correctly invoke an API.
are mission critical and
Similarly, SAST (Static Application Security Testing)
tools don’t do a great job in scanning API code,
as in a typical API, third-party frameworks and
involve crucial business
libraries use custom methods to read a JSON or
XML document from the body of the HTTP request,
parse it, and pass the data into the API code. These
functionalities and
methods are different from one another and are
subject to changes, limiting the success rate of processes, API security
static tools.
”
can exist in APIs just as in a traditional application.”
Radware introduces a unique auto policy generation mechanism to reduce the complexity of keeping evolving
environments secure. Advanced machine learning algorithms learn XML and JSON structures and schemas
for enforcement as part of the validation phase and create a security policy based on those. Moreover, these
algorithms are able to track changes in the application and perform automatic updates in real-time, thus resulting
in an adaptive security model.
As part of Radware’s Attack Mitigation System, Radware’s WAF leverages DefenseMessaging - a unique
communication mechanism with Radware’s dedicated DDoS protection solutions - to provide best-of-breed
Layer 7 DDoS mitigation at the perimeter.
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
https://medium.com/capital-one-developers/building-a-serverless-rest-api-in-go-3ffcb549ef2
https://techcrunch.com/2016/05/21/the-rise-of-apis/
http://blog.octo.com/strategie-d-architecture-api/
http://www.darkreading.com/application-security/what-do-you-mean-my-security-tools-dont-work-on-apis!!/a/d-id/1321050
http://readwrite.com/2011/05/26/soap-is-not-dead-its-undead/
This document is provided for information purposes only. This document is not warranted to be error-free, nor subject to any other warranties or conditions,
whether expressed orally or implied in law. Radware specifically disclaims any liability with respect to this document and no contractual obligations are formed
either directly or indirectly by this document. The technologies, functionalities, services, or processes described herein are subject to change without notice.
©2018 Radware Ltd. All rights reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in
the U.S. and other countries. All other trademarks and names are property of their respective owners. The Radware products and solutions mentioned in this
document are protected by trademarks, patents and pending patent applications. For more details please see: https://www.radware.com/LegalNotice/