As seen on Security Boulevard.
API sprawl, which Brian Otten, VP of the digital transformation catalysts division with Axway, defined as “an uncontrolled proliferation of APIs in an organization,” is creating a flood of new security headaches for organizations. One of the biggest problems in providing security for APIs is that sprawl makes them difficult to track and inventory. And it may be that traditional security methods will not work to detect and protect applications that rely on API.
Where Traditional Security Solutions Fail
The traditional solutions used for API security are those that are already in the application security space, such as web application firewalls.
However, said Edward Roberts, VP of marketing at Neosec, in an email interview, there is confusion in the market, and many are under the mistaken impression that solutions like this also protect their APIs. That’s not always the case.
“These products were never built to protect APIs and rely on rules or signatures to detect bad requests,” said Roberts.
People also misunderstand API gateways, Roberts added, which, while they do provide some basic security features like authentication, authorization and rate limiting, were never intended as serious security solutions to protect APIs from abusive traffic.
“An analogy is to think of APIs like a system of roads that connect businesses to their partners and customers,” explained Roberts. “These API requests are cars traveling on the API road. Within the car is data, and some contain sensitive information like PII.”
If you are traveling in a car, you require a road map to get you from one point to the next, and even if you are familiar with the trip, new construction can throw you off the planned route. It’s not much different with API security. Most organizations don’t have a comprehensive map or inventory of the roads they have created, and because building new APIs is easy, the map is constantly changing and growing.
“This is why continuously discovering APIs is the first security problem that needs addressing. You can’t protect what you cannot see,” said Roberts.
