API Security

Q&A: Mitigating the risks of API-based app development

Print Friendly, PDF & Email

API attacks are very much on the rise these days, with cybercriminals turning to this type of attack more and more often. That’s why API protection is a critical part of application security, and unfortunately, it’s something that many organizations overlook.

Tim Jefferson is Barracuda’s Senior Vice President for Engineering and Data Protection Product Management. We sat down with him to ask a few questions about the state of API-based application security and the recent launch of Barracuda Cloud Application Protection 2.0.

Q&A with Barracuda SVP Tim Jefferson

How do API attacks work, and why are cybercriminals increasingly relying on them?

It has a lot to do with how modern applications are developed and deployed. In the past, we were all deploying web applications. And the thing about web applications is that the user is never directly in contact with the application because those interactions are all mediated via a web browser.

Now we’re largely moving to API-based applications. There are lots of good reasons for that. API-based applications are faster and easier to develop and deploy. They can deliver a better user experience, especially on mobile devices, and businesses can use them to gather a richer set of data about user behavior.

But these new applications contain all their own business logic. They request data from backend servers via API and then perform the business logic on the client device where they’re installed—unlike traditional web applications that keep their business logic on the server side and only communicate with the browser. This means that the business logic in API-based applications is exposed directly to the public.

So, if the API is not properly protected, criminals can intercept the API traffic, identify the backend server, scan it for vulnerabilities, penetrate it, and pull out any sensitive or private data that may be stored there. And there are a lot of APIs out there that are not adequately secured.

There are a lot of APIs out there that are not adequately secured - and cybercriminals are taking advantage #APIsecurityClick To Tweet

The Open Web Application Security Project has begun publishing a top-ten list of API threats. Why threat types are on the list, and why is it significant OWASP decided to publish this list?

Well, as you know, OWASP is a highly trusted authority on trending application-layer threats and their impacts. The OWASP Top Ten list of application threats has long been a critical resource for security providers and application developers. So, the fact that they’ve created a new top-ten list to highlight API threats is a clear indication that these threats are significant and that everyone needs to take them seriously.

Now, when we drill into the specifics of what’s on the list, what I find both fascinating and dismaying is the way that we seem to be repeating some of the mistakes that were made when web applications were emerging as a dominant paradigm.

With web applications, the imperative to develop and deploy apps as fast as possible meant a lot of them were going into production without a proper security review, leaving them vulnerable to attackers. Over time, developers learned how to practice good security hygiene before putting apps into production. But now that API-first development is taking over, we see the same pattern repeating itself, resulting in many of the same, or very similar, vulnerabilities being exposed.

So, when you look at the OWASP API Security Top Ten, it actually looks a lot like their web app list from a few years back. Companies are exposing APIs with no rate-limiting, no access control and authorization, no role-based controls. They’re even exposing testing APIs with production data on the public internet without any protections. All this means that attackers don’t even need to develop new strategies to exploit these vulnerabilities. They can simply adapt the same attacks that used to work on web apps.

From a security provider’s standpoint, then, it is a little dismaying that we apparently have to follow the same learning curve again that we did with web apps.

Barracuda recently released its 2021 State of Application Security report, based on a survey of global IT professionals. What are some of the key findings in that report regarding API security?

First of all, roughly 70% of all respondents reported that they had deployed public-facing APIs, though it’s worth noting that public-sector organizations mostly reported only using internal-facing APIs.

The top concern that respondents had about APIs was security—showing that people are aware of the risks of adopting API-based development. But the second biggest concern was a lack of knowledge about where they had APIs deployed—and that is frankly alarming, since it indicates they have indeed been deploying APIs without carefully considering the risks or doing any close oversight. If your company’s private API is exposed publicly without proper protection and you don’t even know that it’s exposed? That’s a recipe for disaster. Hackers can easily write a bot that farms APIs and scrapes your sensitive data without your knowledge.

'If your company’s private API is exposed publicly without proper protection and you don’t even know that it’s exposed? That’s a recipe for disaster.' #APIsecurityClick To Tweet

Barracuda has announced the launch of Cloud Application Protection 2.0. How does it secure APIs to mitigate these threats?

Barracuda Cloud Application Protection is a platform that brings together everything we know about keeping applications secure and optimizing their performance. It is Barracuda’s platform for Web Application and API Protection (WAAP).  At its core is our best-of-breed, cloud-delivered web application firewall service, Barracuda WAF-as-a-Service, and then it wraps that WAF solution with additional capabilities that address specific issues. So, we add a threat-intelligence component, DDoS protection, advanced bot protection, client-side protection, identity and access control, and API protection.

For API protection in particular, the solution monitors API traffic to spot and block a wide variety of attack vectors. It also includes an API-discovery component that gives you clear visibility into all your APIs and ensures that appropriate controls are extended to secure them. And it optimizes API performance by enforcing SLAs with rate-limiting, caching, compression, content routing, and tarpitting for violators.

Going forward, as new threats to API-based apps emerge—which they definitely will—Barracuda will update and supplement these WAAP capabilities in order to keep APIs secure and ensure that organizations can leverage all the benefits of API-based development without exposing themselves to risk.

To get more info about Barracuda Cloud Application Protection, please visit our website

Scroll to top