APIs & web services

Application web security: APIs as attack vector

Cybersecurity for secure application programming interfaces

How to close data security gaps with regard to APIs

More than 80 % of all attacks on the web today rely on APIs, which therefore pose an increased risk for any company or governmental agency. By 2022, Gartner estimates that the misuse of APIs will be the most common attack on security breaches in enterprise web applications. The Open Web Application Security Project (OWASP) recently published a top 10 list of the greatest threats to API security. OWASP is well known for its top 10 list of application web security risks and has now expanded this to include API security risks.

APIs (Application Programming Interfaces) have been around for a long time, but their use has increased dramatically in recent years. The increasing prevalence of APIs is changing the way data is exchanged on the Internet. Machine-to-machine communication already takes precedence over data traffic between people and web pages. APIs enable interoperability between a variety of components and systems. They connect machines and software like the pieces of a puzzle. Application APIs are components of any application architecture such as micro services, single page applications (SPAs), mobile apps, IoT, etc.

While we expect the trend towards API development to continue, we also expect application web security breaches to increase. These will become more frequent and so sophisticated that API-specific security will become more important than ever before. APIs provide even more access to application logic and much more information (including sensitive data) as web pages or web applications do.

Application APIs – especially appealing to hackers

An application API is an essential entry point for attacks and data leaks, as it allows access by third parties. The fact that APIs allow easy transfer of mass data makes them particularly attractive to hackers. If you do not consider application web security, hackers can access numerous applications, which are then compromised by the unsecured interface. Depending on how developers program an API, it can reveal back-end data resources, back-end architecture and even back-end applications on servers. Rapid product development using agile methods has made API lifecycle management more complex than ever before. IT admins have to manage more and more APIs. They change frequently and run interdependently (sometimes unnoticed). While there are increasingly sophisticated lifecycle management methods for APIs, developers don’t rigorously apply these enough or they are only adopted to new APIs. And on top of that, they don’t have time for ensuring thorough API security.

Advantages of our application web security solutions

  • Identify assets, prioritize vulnerabilities, distribute remediation tasks
  • Seamlessly secure machine to machine (M2M) communications
  • Authenticating web service agents, signing messages and encrypting traffic
  • Protect automated data flows
  • Centrally control all web application and services communications
  • Web services routing & authentication service
  • Improve control by continuously monitoring collaboration applications

If you have any questions, please contact us.

Application web security: a web application firewall as a critical checkpoint

As application APIs are the "weakest link in the security chain", they are no longer sufficiently protected by conventional security mechanisms for applications. You need a centric API security, which must be considered within the context of the entire API development cycle. The protection of APIs should be combined with other security measures in an comprehensive security concept for web applications and a comprehensive security concept for stringent risk assessment approach.

If an API is open to the Internet, you need to consider all levels that are vulnerable when it comes to coherent application web security. There needs to be a consistent approach:

  • Which transport protocol should you authorize?
  • Which data flow should you managed?
  • What authentication can you use to ensure that data is only accessible to authorized persons?

You can read more about this here in our white paper:

Web Application Firewalls for API security

Web application firewalls are the best solution for ensuring API security because they find the right balance between security measures and usability – with the clear goal of preventing malicious traffic to the back end or other devices such as an API gateway. It is important that a WAF can proactively prevent complex API attacks. However, it does not replace an authorization mechanism in the application framework and does not release developers from their obligation to continuously deal with API security and to behave responsibly.

"According to users, WAFs are currently most successful in protecting against DDoS attacks (64 %), DNS security (61 %), securing weak points in applications (55 %) and detecting anomalies (54 %)."
Study Ponemon

Protect your APIs even in the Cloud

 R&S®Cloud Protector

The most common API threats

The API documentation often shows the implementation and the internal structure. This can be used for cyberattacks. Additional weaknesses, such as weak authentication, lack of encryption and insecure endpoints make APIs vulnerable to attacks.

Top 5 API threats

  • Broken Object Level Authorization
  • Broken Authentication
  • Excessive Data Exposure
  • Lack of Resources & Rate Limiting
  • Broken Function Level Authorization

Man in the middle attacks

In a man in the middle (MITM) attack, an attacker secretly attacks communications, including API messages between two parties to obtain sensitive information. For example, an attacker can grab a session token that is exchanged by the API in the HTTP header and the user's browser. If the attacker is in possession of the session token, she has access to the user account and, consequently, to personal information such as credit card information or login details.

DDoS attack

In a Distributed Denial of Service (DDoS) attack, multiple systems/bots "flood" a target system - this is usually one or more web servers. A DDoS attack on a web API attempts to overload its memory and capacity by flooding it with concurrent connections or by sending/retrieving large amounts of information in each request. APIs can usually detect and block excessive traffic from a single source, but they are helpless against mass requests from multiple locations. Hackers using DDoS attacks typically perform these attacks from multiple systems and devices simultaneously.

If you have any questions, please contact us.

Featured content for application web security

Webinar

Assuring and Implementing Cybersecurity and Data Protection in Public Clouds. Learn more in this webinar about security and governance challenges of cloud environments in general and how to approach those in a structured manner.

Register now

Webinar: API security risks

In this webinar we will present the 10 most important API security risks and how you can protect yourself against them.

Register now

White paper: How to protect your APIs

Learn in this white paper how to protect your APIs with the R&S Web Application Firewall.

Register now

Effective protection for web applications and websites

In this ebook you will discover in detail a new approach to security, reliability and data protection of web applications in the cloud.

Register now

FAQs
Why is security important in web applications?

Application web security is important because cybercriminals use methods that deliberately exploit potential weaknesses of the web application software themselves – and therefore do not get recognized by classic IT security systems such as network firewalls or intrusion prevention systems (IPS). Simple network firewalls can block or allow only certain TCP or UDP ports. Attacks at the application level via the Hypertext Transfer Protocol (HTTP/HTTPS) are not recognized and thus cannot be proactively blocked. In addition, even next-generation firewalls are not sufficient. They are usually not acting as a reverse proxy, so they cannot identify and prevent all attacks specifically targeting applications accessible via a web browser.

What are the strategies to secure web applications?

Here are some recommandations for more applicaton web security:

  • Ask experts to "attack" your web application
  • Follow web application security blogs
  • Make regular updates
  • Make backups (also offline!)
  • Security and usability go hand in hand
  • Always use SSL (HTTPS) encryption
  • Scan your website frequently for vulnerabilities
  • Start using a web applicaton firewall
What to do when your application API or web app is attacked?

Here are 10 recommendations in case your applicaton API or web application is hit:

  • Inform the application owner
  • Inform security officers or security incident response team (SIRT) of the incident
  • Remove the affected servers from the network
  • Try to replace the affected systems with backup or standby systems
  • Check all services for anomalies and the current operating status
  • Set up a task force to investigate the incident more closely
  • Involve additional IT security experts and consultants if possible
  • Implementation of forensic data analysis
  • Evaluation of the system and network protocols
  • After problem detection, the identified vulnerability must be eliminated
Your monthly cybersecurity update

Your monthly cybersecurity update

Request information

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

I want to receive information from Rohde & Schwarz via

Marketing permission

What does this mean in detail?

I agree that Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the imprint of this website, may contact me via the chosen channel (email or postal mail) for marketing and advertising purposes (e.g. information on special offers and discount promotions) related to, but not limited to, products and solutions in the fields of test and measurement, secure communications, monitoring and network testing, broadcast and media, and cybersecurity.

Your rights

This declaration of consent may be withdrawn at any time by sending an email with the subject "Unsubscribe" to news@rohde-schwarz.com. Additionally, a link to unsubscribe from future email advertisements is contained in each email sent. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy.

Your request has been sent successfully. We will contact you shortly.
An error is occurred, please try it again later.