API Security:

An Introduction

Head of API Security

Proprietary and confidential. Do not distribute.

Digital transformation is driving
an rapid increase in API usage

Organizations are exposing more APIs are the core of service-

data to B2B partners and customers oriented and microservices
architectures

APIs power mobile, single-page APIs are the underpinning of

apps, and IoT DevOps, CI/CD, and Infra-as-code

70%+
Of web requests are API calls

Proprietary and confidential. Do not distribute.

API Security Challenges

Critical business functions and Security teams struggle to keep up

data are increasingly exposed via with the rapid proliferation of API’s
APIs

300 80% 50%

Of breached records +50%
Of businesses use
Minimum average APIs3 accessed Of enterprise APIs are not
of APIs an org via APIs and apps1 managed4
manages2

Fragmented technology ecosystem is Companies are leveraging 3rd party

too complex to secure APIs without APIs more frequently and place security
impacting business agility as high as reliability

1. Verizon 2019 Data Breach Incident Report, 2. Imperva poll, 3. MuleSoft 2020 Connectivity
Benchmark report, 4. Gartner Predicts 2021

Proprietary and confidential. Do not distribute.

Categories of API Attacks
API Becoming the New Attack Surface

Authentication Service Abuse Malicious Request Business Logic

Abuse/Data Theft

Credential abuse DoS/DDoS Injection Broken

Token API call volume Schema violation Object/Function
abuse/overuse based charging Level
Server-side
abuse Authorization
Authentication Request Forgery
bypass Message structure Excessive Data
Client agent
level abuse Exposure
Weaponization bypass (bad bot)
Data Exfiltration

Proprietary and confidential. Do not distribute. 4

Security Solutions for API
Protection
From Web Application Firewall(WAF) to Web Application and API Protection(WAAP)

Evolution of Conventional Solutions API Specific Protections

API Access Management Authentication/Access

Gateways Management API Business Integrity Automated detection and
Detect
and Data Protection remediation against anomalies

API Service Abuse
Protection
From humans vs. bots to
good vs. bad bots
Credential theft -> API
abuse
+
DoS/DDoS Protection
Proactive/auotmated discovery
API Security Testing of vulnerabilities
Bot Protection
Always up-to-date inventory of
Visibility APIs and their data exposure
Account Takeover
Protection

Rule/Signature Based
API Fuzzing Protection
WAF

Proprietary and confidential. Do not distribute.

Why Reconnaissance API Gateway
Schema
Protection API Service

Conventional Analyze API call structure using

test accounts to collect valid
tokens

Solutions Are Not Broken Object Level Authorization

Enough?
(BOLA) attack

Use test user session to access

other users data

Get https://….com//api/v1/get_user_details …

● Typical API Access Management control …

authorization: Bearer eyJhbGciOiJIUzUxMiJ9 eyJhbGciOiJIUzUxMiJ9 1
…

cannot stop attacker leveraging an {

…..
Id: “11111”
✅ ✅
authorized session }

● Typical schema validation cannot Return Data

About User
2

detect/stop API calls with completely “11111”

conforming object payloads Get https://….com//api/v1/get_user_details …

…

● Applications are left to fend for authorization: Bearer eyJhbGciOiJIUzUxMiJ9

…
{
eyJhbGciOiJIUzUxMiJ9
3

themselves when it comes to object

…..
Id: “11112” ✅ ✅
}

level authorization
Return Data 4
About User
“11112”
Proprietary and confidential. Do not distribute.
API Security
starts with
discovery
● API’s app specific data layer make
automatic discovery necessary
● Beyond technical specifications,
automatic discovery must be able
to identify sensitive data
● Automatically updated API
Inventory is the foundation for
detection and remediation

Proprietary and confidential. Do not distribute.

Deployment Architectures
Prioritization Driven by Exposure Risks

Browsers, Apps, & Things

WAAP Gateway
Partner Access Devices

1. North-South
Public APIs
2. Externally exposed
API Gateway
Private APIs

Private Cloud

API Gateway 3. East-west Internal

APIs

Proprietary and confidential. Do not distribute.

A Full Life-cycle
Approach
● Start with deep discovery API Governance API Secure Operations
of production APIs
● Maintain an always up-to-
date API inventory to help BUIL
D C
TES
T
CD RUN
RUN
improve API governance I

● Enhance API security test

coverage automatic Help Dev with secure
API Design:
Help Dev/DevOps with
API security testing
Help DevOps and
SecOps secure APIs in
production
generation of tests from 2 Auto test gen
Spec Security 3 Discover APIs in 1
discovered APIs Assessment
from discovered
APIs
production

Spec Generation Proactive API API Anomaly

and Validation anomaly scan Detection and
Remediation

Proprietary and confidential. Do not distribute.

API Security Roadmap

DELIVERED COMING SOON (H2 2022) 2023 Future 2024

● Automated API Discovery ● Continue expansion of ● Expansion of API protocol ● Cloud Native, hybrid
with Data Classification auto-discovery (e.g. support mode, auto-scale
● API Schema Protection custom data ● Consolidation of deployment with
enhanced by auto- classification) management plane centralized management
merging of discovered ● Data centric anomaly ● Multi-form factor option
APIs detection (e.g. excessive remediation (e.g. actions ● Full support of API
● Support both SaaS and sensitive data exposure) against compromised Detection/Response
private cloud ● Tighter integration with accounts behind API ● Automated, Full Lifecycle
deployments platform features (e.g. abuses) API security:
● Automatic API Security bad bot prevention, ATO ● Cloud Native WAAP data ○ Auto-discovery driven
Test generation for protection) plane security verification
discovered APIs ● Expansion of integration ○ Auto-generation of
● API design security risk with existing API baseline from
assessment based on API Gateways monitoring API test
specifications (also called ○ Automated
API Security Audits) remediation actions
in response to API
anomaly

Proprietary and confidential. Do not distribute. 10

Back-up Slides

Proprietary and confidential. Do not distribute.

API Security Anywhere (more details) Serverless Platforms Imperva Controller Console
k8s Cluster

Management Console
Node

Pod Lambda Lambda

@ Edge Layers
Sidecar
Microsenso
r Advanced API Controller
Application (public or private cloud)

Container(s)

API Controller
Server / VM
Containers
Sniffer
Microsenso
r Additional Sources

Consumer
Services
Legacy Apps / Microservices

Server / VM

Packet Capture Log Consumer

Service Service
Microsensors Microsensors

Legacy Apps / Microservices

Network
Tap/Sniffer or
Proprietary and confidential. Do not distribute.
Traffic Mirroring
What We Found (1): Data Object Authz Risk
POST /…/…/…/orders/list/summary

13
What We Found (2): Authentication

14
API Verification
Cloud WAF API Security Add-on New Feature

Proprietary and confidential. Do not distribute.

Feature Highlight
● A new feature of the Cloud WAF API Security Add-
on
○ Generally Available now
○ Available to all add-on customers
● Two verification tools
○ API test generation for customers with no API
specification
■ Automatically generate API security tests based on discovered APIs
○ API specification security assessment for customers
who uploaded their API specification
■ Scan API specifications to generate a security assessment report on
the API design
● Customer Values
○ Enable secure API development.
■ Buyer: Security Team
■ Operator: Dev Test
○ Natural next step after API Discovery:
■ Discover and fix API vulnerabilities before they are exploited

Proprietary and confidential. Do not distribute.