Unfortunately, most solutions rely heavily on this technique to detect hostile bots. This means that a web security solution cannot use browser verification, because the client is not using a browser. Most service/microservice APIs are accessed by mobile/native applications, or by other services or software components. Thus, security can be compromised.Ĭlients will probably not be using a web browser. Each time an API changes, a typical security solution requires manual tuning and reconfiguring-which not only consumes time and resources, it can be an error-prone process. Most WAFs are not designed to accommodate this. In a DevOps environment, APIs can evolve rapidly. Incoming request formats can change frequently. And APIs tend to expand over time, so even an individual API can become difficult to secure properly. Different APIs can use different protocols. Today, web applications can have numerous API endpoints. The days of only protecting ports 80 and 443 (HTTP and HTTPS) are over. The castle has lots of openings, and no moat. How is API Security Different?ĪPIs present a very different situation than that described above. Or, it can notice a large volume of incoming traffic from a single IP, and determine that it’s an attempted DDoS attack (Distributed Denial of Service). For example, the WAF can block attempts at XSS (cross-site scripting). If verification fails, then it’s probably safe to assume that the client is a bot using an emulator or headless browser.Īttacks can be detected by examining the requests. Therefore, the WAF can verify the browser environment. Therefore, the WAF (Web Application Firewall) can be configured to enforce those protocols.Ĭlients will be using a web browser. ![]() Incoming requests will adhere to well-defined protocols that are mostly static. Once requestors are allowed through the perimeter, they’re assumed to be benign. There are only a few ways through the perimeter, and these access points are heavily guarded. The network has a well-protected perimeter. ![]() In traditional web security, the following are usually true. ![]() In many ways, API security is different than typical approaches to web security. Securing API endpoints from hostile usage is challenging.
0 Comments
Leave a Reply. |