API gateways are increasingly used to help accelerate new ventures or transform existing businesses. However, the People and Process components are not as mature, and as a result, some organizations have had to deal with attackers targeting their API endpoints. Cequence Security has recently released a new product, API Sentinel, to help organizations monitor traffic through their API gateways and reduce the risk of data leakage or business logic abuse by identifying risky APIs.
API gateways are not enough to keep APIs secure
An API gateway is a management tool or cloud service that lies between front-end clients and backend services. The gateway takes in all API calls, aggregates the services needed to fulfill them, and then returns the results to the requestor. Think of them as the waiter in the restaurant who takes the orders from customers, submits them to the kitchen, and then delivers the food and drinks once prepared.
API gateways are designed to be simple to implement, scalable, and flexible to meet the needs of different application requirements. While API gateways come with features to protect against volumetric attacks and implement some form of user authentication, attackers can get around these controls by slowing down their attacks and using compromised credentials.
API Sentinel delivers added critical functionality
Like most cloud services, API gateways are designed to be used by security-minded enterprises, and as such come with some security features built-in. The Amazon API Gateway has also been audited for use across several compliance frameworks to help speed the certification process of applications that rely on them.
The Amazon API Gateway offers many of the security features available with other services on AWS, including:
- DDoS Protection from both layer 3 and layer 7 attacks
- Audit Trail to track API changes via AWS CloudTrail
- Role-based Access Control for creating and managing APIs
You can choose to implement rate limiting or additional user authentication to limit abuse, but APIs using these features are still susceptible to attacks. All of these tools and capabilities are user- and API-agnostic.
But, although API gateways are strong on managing APIs, they lack spec conformance and threat prevention functions. API Sentinel from Cequence Security provides additional necessary insights, including:
- Identifying APIs being targeted by known malicious networks,
- Providing risk scores for APIs that may be easily compromised or may leak sensitive data, and
- Detecting anomalous activity that may indicate compromised credentials or tokens, or reconnaissance activity such as an enumeration attack,
- Monitoring API endpoints for applications with regulatory requirements such as PCI or HIPAA
Tight integration with the API Gateways streamlines discovery
API Sentinel is designed to automatically enable and analyze Amazon CloudWatch logs for your Amazon API Gateway, ensuring all API transactions are monitored as new API endpoints are published and existing APIs are updated or changed as part of their application lifecycles. This is a role-based integration and does not require users to set up or manage data collection after the role is implemented, which helps to ensure no published API gets missed.
API visibility for everyone who needs it
API Sentinel provides much-needed runtime visibility to security and risk teams without requiring any intervention from the development teams.
Today, security teams and the team leading the digital transformation efforts for the organization (API COE, Application Modernization, Supply Chain Technology, Cloud Operations, etc.) benefit most from the visibility provided by API Sentinel. Once deployed in a cloud or on-premises environment, they will finally have a big picture view of all APIs, API activity, and API risk across their organization. This actionable information helps to guide conversations with development teams to improve the overall API security posture and lessen this increasingly vulnerable attack vector.
Want to get started?
Cequence Security is an Advanced Technology partner and one of the founding members of the APN Global Startup Program. And, API Sentinel was built to run on AWS from the start. If you’d like to try API Sentinel in your AWS environment you can get started today with a 30-day free trial.