Application programming interfaces (APIs) have become a role that can’t be ignored in digital transformation, whether in application modernization or agile business strategies. At the application development stage, APIs are standard service interfaces. When it comes to interfacing with third-party services, APIs are a common choice. In the microservice architecture, APIs are an integral part of enabling the communication between microservices. In the future, as more and more enterprises will turn to agile strategies for business development, they will devote more energy to business rather than basic capacity building. This trend will inevitably give rise to changes in R&D systems and commercial models. These enterprises will develop and launch more APIs to enable their systems internally and externally, and at the same time purchase more third-party solutions with more granular capabilities. Being ubiquitous in the future, APIs will become the next core protection object in the field of application security along with web applications.
API security mainly consists of three parts: API discovery, access control, and threat mitigation. To discover APIs, we have to understand the related design, coding, and overall network deployment. Besides, we should be equipped with active and passive identification capabilities. As this is a long story that cannot be clearly conveyed in a short article, we will elaborate on it in a new blog post. This article focuses on access control and threat mitigation, presenting our ideas and solutions around them in our efforts to develop a next-generation web application protection system.
The vulnerability of APIs aggravates the risk of cyberattacks and makes business risks more difficult to control.
APIs are stateless and visible to requested resources. They can be used to modify or delete server-side resources. Besides, information returned by servers via APIs is detailed enough to expand the exposure of resources. All these make APIs an easy prey to attackers, which explains why the number of API attacks is growing exponentially. In this context, enterprises have to address the following issues:
1. Driven by business innovation, how can enterprises accelerate service launches while ensuring the security of these services?
2. How can they determine which of the normal requests not blocked by a web application firewall (WAF) are routine service requests and which are malicious calls?
3. How can they avoid data breaches? The leakage of user accounts, mobile numbers, passwords, transaction records, and other sensitive information will cause a direct negative social impact and put enterprises at risk of violating regulatory requirements
4. How do they identify malicious access requests to avoid malicious events such as promotion abuse and bulk registration of accounts?
5. How do they sort out the existing API assets? How do they verify the privileges of clients calling APIs and check whether there are hosts compromised because of horizontal/vertical privilege escalation?
6. How do they manage service APIs to prevent obsolete and internal APIs from being discovered and exploited by attackers?
7. Internal APIs are frequently called by each other, increasing the risk of internal environments being exposed. In this context, how can enterprises protect their internal environments from being attacked and, once under attack, how can they contain the attack scope to avoid the serious consequence of one host being used as the stepping stone to compromise the whole network?
To solve the preceding problems, the first and foremost thing is to take APIs as a new protection object, rather than just interfaces used by websites.
More objects to protect, attacks enabled by tools, malicious behaviors potentially becoming legitimate, a shift of focus from vulnerability exploitation to resource abuse and broken access control, more and more APIs not under management … All these require an upgrade of the security architecture. Specifically, we need to add API identification and protection capabilities as well as the bot management capability to WAF. Besides, WAF should provide interfaces for convenient and automatic import and upload of API protection objects to cover more use scenarios.
This objective can be achieved only through a two-pronged approach: technical level (protection capability) and business level (adaptability).
At the technical level:
The threats we face mainly include web exploits, resource abuse, and resource access controls. To protect against them, we should have WAF, API discovery, API access control, API threat protection, bot protection, and bot analysis capabilities.
APIs are the cornerstone of services. Sorting out assets, classifying sensitive data, and checking the compliance status around APIs can help customers exercise effective access controls. Resource call controlling, in combination with bot detection, can effectively avoid resource abuse. On the other hand, threat detection and permission controls can complement exploit protection to provide business logic protection, helping customers accurately assess business risks and properly harden business security.
Identifying bots, identifying malicious bots, and further identifying sophisticated bots that are good at disguising themselves are the first set of actions to take in the protection against bots. The intent of bots should be analyzed based on their behaviors so that the risks the business is exposed to can be properly assessed and alerted. Attribution and clustering analysis of bots are useful in two aspects: (1) helping customers effectively identify issues and promptly adjust security policies and harden business security accordingly; (2) helping customers discover bots and their variants in advance based on bot-related intelligence produced and shared.
At the level of business environment adaptation:
1. Underlying environment: flexible connection required to adapt to different business components in customer scenarios
2. Cloudification: centralized control of on-premises, cloud-delivered, and multicloud-delivered businesses
3. Business development: lightweight adaptation to cloud-native advanced technologies and microservices
4. Exposure: continuous registration of all outbound API traffic on threat protection devices
In response to changes in protection objects, protection scenarios, and protection capabilities, NSFOCUS launched the next-generation web security solution.
In 2021, Gartner defined web application and API protection (WAAP) as the evolution of the web application firewall (WAF) market, expanding WAF capabilities to four core features: WAF, DDoS protection, bot management, and API protection.1
NSFOCUS’s next-generation web protection solution extends WAF capabilities against vulnerability exploitation, which is the most common issue threatening API security, to include Anti-DDoS, bot traffic management, and API protection capabilities, protecting users’ web applications and APIs.
Horizontally, the solution covers more scenarios, resolving external and internal problems for customers. On the one hand, it addresses such issues as use of seemingly legal identities to take over accounts, scalping, and promotion abuse, which could cause sensitive data leaks and high service load, dealing a double blow to customers’ finance and reputation. On the other hand, it helps customers sort out API assets and arrange them by category, in an effort to resolve API privilege escalation and abuse in addition to compliance based on API types, behaviors, permissions, and context logic.
Vertically, we dig deep into the related technology to identify new problems and keep up with the latest trends, thus remaining forward-looking.
NSFOCUS’s WAAP product excels in four dimensions:
Dimension 1: focus on core capabilities
1. Bot protection: accurately identifies bot traffic and reduces noisy data, reduces website vulnerabilities/exposures and business attack risks, anatomizes attackers’ intents, backtracks attack paths and sources, and identifies and alerts business risks, thus significantly cutting down customers’ O&M costs while ensuring business security.
Forrester, an authoritative international research company, surveyed global security vendors in terms of the technical level, market share, and other aspects of bot management products. As a representative vendor, NSFOCUS was listed in the report Now Tech: Bot Management, Q4 2021.2
2. API protection: adopts active and passive approaches to assist customers in sorting out API assets and uses automatically generated API baselines and imported OAS files for API compliance checking. It parses traffic of various protocols to filter out attack traffic and analyzes malicious bot behaviors to ensure normal access of legitimate users, deny access of illegitimate users, curb unauthorized access, block malicious exploits, and avoid sensitive data leakage.
Likewise, as a pioneer in the industry, NSFOCUS was included again in a Forrester report Now Tech: Web Application Firewalls, Q2 2022 as a representative vendor.3
Dimension 2: multiple product forms to adapt to different environments at different stages
1. Support for both hardware and virtual products: multiple cluster solutions to suit different deployment environments, including connecting to F5 as a reverse proxy without changing the source IP address, being deployed as a plug-in, interworking with Nginx without changing the network topology, and centralized traffic orchestration, to ensure high stability and high availability of services.
2. Virtual WAF: can connect to 14 types of cloud platforms, depending on the cloudification phase, to ensure the security of services in clouds.
3. Cloud-native WAF: adapts security capabilities to cloud-native architecture and works for microservice scenarios. Besides containerized WAF that can adapt to K8S and Ingress controller deployment, the product provides an advanced option of cloud-native WAF for the Envoy service mesh, which is lightweight and protects microservices imperceptibly, addressing the east-west protection needs in thousands of container O&M management scenarios.
4. Componentization of product capabilities: In order to provide comprehensive protection, traditionally, the security devices are deployed in in-path mode. As traffic needs to go through all these devices one by one for analysis, each node becomes a single point of failure and security capabilities are loaded repeatedly at the datacom layer, prolonging the overall delay. Our solution features componentization of security engines, decoupling the datacom layer from the security protection layer. After a component analyzes traffic, whether other components are loaded for further analysis depends on the actual need. This way, dynamic scheduling of security capabilities is achieved, providing lightweight and flexible protection capabilities while ensuring high stability of services.
Dimension 3: coordinated defenses step by step
1. On-demand capability combination: The anti-DDoS system (ADS) identifies DDoS attacks and scrubs volumetric traffic. WAF blocks exploits targeting URLs and APIs, filtering out “bad” traffic. The bot management gateway (BMG) identifies automatic tools, checks client environments, and filters out “gray” traffic. The API gateway checks for privilege escalation and generates a service graph to identify “good” traffic.
Security capabilities can also be flexibly combined based on the protection priority to form scenario-specific solutions, protecting web applications, mobile applications, and APIs from different kinds of attacks.
2. Collaboration: If a component finds identities previously authenticated by the API gateway launch attacks, it notifies the API gateway, which will then block such identities.
3. Shift-left security: receives scanning results of code and applications and provides smart patches of various levels to fix the discovered vulnerabilities, hardening code in sync with rapid service launches.
Dimension 4: dual support for device-side WAAP capabilities and platform-side WAAP services
Centralized management of device-side capabilities: lightweight deployment with Docker, having no underlying dependency; dynamic loading of security components to meet real-time needs of the ever-changing service traffic; centralized traffic orchestration on the device side and personified security configuration interface (one point of entry for configuration of all capabilities).
Multidimensional display of platform-side services: centralized control of multiple devices to simplify O&M; all-round asset risk assessment for customers; aggregation of device-side data and association analysis of attacks before creating comprehensive attack profiles.
Application of NSFOCUS’s next-generation web security solution in customer scenarios
Enterprises’ risks and priorities vary with the business development stage, organization size, industry characteristics, and where their services are delivered. For effective protection, NSFOCUS’s WAAP product can be a good choice, which is available in different forms, allowing flexible combination of suitable capabilities.
Following are examples of different combinations for three scenarios:
Compliance is the priority. In addition to protection against exploits, the customer has to mitigate the risks of data crawling, malicious scanning, and malicious registration.
Solution: Deploy a WAF model that integrates web security, bot management, and API security, or upgrade the current WAF to include bot management and API security modules, providing fast and comprehensive security capabilities.
The customer has diverse business scenarios, such as e-commerce enterprises, hospitals, and the State Grid. The business is vulnerable to promotion abuse, inventory occupancy, malicious bidding, data breach, account takeover, and scalping.
Solution: If a WAF is already deployed, the customer can purchase BMG that provides more specific bot management to protect not only applications but also services.
Cloud-native environment Traffic rises sharply during holidays. Both north-south and east-west traffic needs to be protected. Protection products are expected to be closer to the business side, not just at the gateway, deployed in cluster mode and under uniform O&M, to control risks in a centralized manner.
Solution: Package device-side and platform-side WAAP capabilities in one solution, to provide cloud-native security components for each type of service, load security capabilities delivered by smallest-granularity security components dynamically according to changes in service traffic, and provide a unified visual interface for O&M management and business risk management.
With the development of APIs and online services, NSFOCUS will continue to improve its defense capabilities against OWASP top 10, OWASP API security top 10, and OWASP automated threats, providing solid protection for online digitalized services.
1 Magic Quadrant for Web Application and API Protection, September 20, 2021.
2 Now Tech:Bot Management, Q4 2021.
3 Now Tech:Web Application Firewalls,Q2 2022.