Security Zeitgeist: Unprotected APIs are at high-risk and should be protected by enforcing API Security Policies

API Security

Subscribe to API Security: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get API Security: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


api security Authors: Elizabeth White, SmartBear Blog, Mamoon Yunus, Stackify Blog, Pat Romanski

Related Topics: Cloud Security Journal , API Security

api security: Blog Feed Post

API Security - vendors look to develop NG-WAFs

API security is now a central concern for Web Application Firewalls (WAF).  For over a decade, WAFs have been  a necessary component of most web-based applications deployments. WAFs typically sit inline and protect inbound and outbound corporate traffic against vulnerabilities. These vulnerabilities have been cataloged by OWASP Top 10 for over 15 years. 2017, marks the first year where API security has made it in the OWASP Top 10 RC1.

Radware, a WAF solution provider has published an interesting article titled "Why there is no API security" where they make the following key points:
No single part of the application, nor any part of normal Internet filtering firewall defense, has enough visibility into the context to stop business exploits. Some examples of business logic exploits are:
  • Modification of authentication flags and privilege escalations Business constraint exploitation/modification or business logic bypass to generate fraudulent transactions
  • Requested parameter modification Developer’s cookie tampering and business process/logic bypass 
  • Exploiting clients’ side business routines embedded in JavaScript, Flash, or Silverlight Identity or profile extraction 
  • LDAP parameter identification and critical infrastructure access 
Business logic attacks are not trivial in their consequences and are successful on even the largest organizations. A few of the large organizations that fell victim to business logic flaws are Facebook, Nokia, and Vimeo.
Radware's perspective clearly shows that WAFs have to extend their world-view to address API security. It's not just about protecting websites - with APIs becoming a connective tissue of all portal, device, and cloud communications, corporations are looking at Next Generation WAFs to now include significant API-awareness and API-borne threat mitigation capabilities.

Read the original blog entry...

More Stories By Mamoon Yunus

Mamoon Yunus is an industry-honored CEO and visionary in Web Services-based technologies. As the founder of Forum Systems, he pioneered XML Security Gateways & Firewalls and was granted a patent for XML Gateway Appliances. He has spearheaded Forum's direction and strategy for eight generations of award-winning XML Security products. Prior to Forum Systems, Yunus was a Global Systems Engineer for webMethods (NASD: WEBM) where he developed XML-based business integration and architecture plans for Global 2000 companies such as GE, Pepsi, Siemens, and Mass Mutual. He has held various high-level executive positions at Informix (acquired by IBM) and Cambridge Technology Group.

He holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology. InfoWorld recognized Yunus as one of four "Up and coming CTOs to watch in 2004." He is a sought-after speaker at industry conferences such as RSA, Gartner, Web Services Edge, CSI, Network Interop, and Microsoft TechEd. Yunus has the distinction of showcasing Forum Systems' entrepreneurial leadership as a case study at the MIT Sloan School of Management. He has also been featured on CNBC as Terry Bradshaw's "Pick of the Week."