- Lack of awareness and documentation of public and private API endpoints.
- As companies are moving towards API-first development, new API endpoints keep getting created, and the old ones become obsolete without much knowledge to the administrator. With little or no information about those, administrators find it difficult to configure/reconfigure web servers for best security practices leaving many security gaps in the system.
- Use of internal APIs
- Barracuda research has revealed that more than 25% of APIs are designed to be internal only APIs. These internal APIs are often developed with significantly less focus on security. In many cases, APIs are considered “hidden” (by the development teams) behind the web applications, and application owners are not aware when these internal APIs are exposed to the outside world. This results in big security holes and a growing attack surface – particularly if the applications are accessible through the internet or do not have access controls to prevent lateral movement by a threat actor.
- Identifying Shadow or Zombie APIs
- There are several APIs that are created in the system for testing purposes and unknowingly left behind without any security in place. Following traffic trails to such APIs becomes almost impossible due to limited traffic arriving at those testing APIs. Furthermore, it is very common for application developers and administrators to miss out on minor changes leading to security rules not being up to date always. Barracuda research has found that close to 37% admitted lacking an understanding of API standards. If attackers can identify these endpoints, as they did with Optus, they can then exploit the API; they can cause serious damage to the application server and cause a breach of user data.
- Identifying all available API endpoints and structures
- Without live traffic analysis, it is very easy to miss API endpoints exposed by the server as well as the structure of individual parameters expected by the API. Without complete knowledge of these, we can never be confident about the security needs of each endpoint and parameter, which eventually leads to insufficient security configuration.
- Most attacked APIs / Parameters
- There are some APIs, such as login APIs, that are attacked more than others. Similarly, username/password fields are typically more prone to ingestion attacks than other parameters. But without exact information about all the fields, number of queries, value formats, etc., it becomes a big challenge for administrators to deploy APIs in a safe manner against possible exploits.
The threats posed by the upsurge in APIs are increasing the workload for IT teams. Alongside this growth in APIs, companies are facing increasingly sophisticated cyberattacks across other threat vectors, and a shortage in the cybersecurity workforce. This makes it difficult and expensive for companies to fully staff internal IT teams and keep the company fully secured.
Barracuda WAF API discovery
Barracuda’s Machine Learning-powered API Discovery analyses all traffic arriving at your application, filters the API traffic, and uses this information to identify API traffic endpoints. Once these endpoints are identified, it then learns the structure of the keys/values expected by each API. At this point, Barracuda Application Protection will auto-configure security settings to ensure your APIs are protected against the latest threats originating in the market. API owners and administrators can then preview and fine-tune these configurations as desired.
Barracuda Application Protection further leverages machine learning (ML) to continuously learn and secure your application environment. The Auto Configuration Engine is a Barracuda Active Threat Intelligence service that reviews all your application traffic from connected units and provides application-specific configuration recommendations. This helps you close Web Application and API-related security gaps while reducing the IT overhead assigned to application protection.