API Security Podcast: How APIs Enable Digital Transformation and Automated Attacks

October 18, 2019
API Security

It’s no secret that APIs are an invaluable tool for application developers who are tasked with doing more with less. In this Aite Radio Podcast, Alissa Knight and Shreyans Mehta, Co-founder and CTO of Cequence Security have a friendly chat about the value of APIs, the challenges of protecting them from automated attacks and the API security market in general. Listen here:

Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, organizations are using APIs for many things, including to facilitate interoperation with other applications, reduce development time and extend functionality.

Biggest drivers in your decision to develop/consume APIs

Source: SmartBear State of the API, 2019 Report

Unfortunately, APIs are commonly used for automated attacks against public facing applications, as shown in the Prying-Eye vulnerability attackers. According to Gartner, by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 20191. By targeting the API instead of scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.

An example of an API-based attack against a financial services mobile application is shown in the image below. Bad actors decompiled the mobile application to (1) discover the account login APIs. An automated attack was then executed against the login API (2) and if successful the bad actors attempted to commit financial fraud by transferring funds (3) across the Open Funds Transfer (OFX) API.

API Attack

In the podcast, Alissa and Shreyans discuss how bad actors will deconstruct the mobile applications which are heavily reliant on APIs to then launch an automated attack. For example, a financial services customer was able to detect and block an account takeover attack that targeted the mobile application account login. The bad actor, if successful, would then try to transfer funds using the
OFX API.

Cequence was able to detect and block this ATO attack using our intelligence-based approach that allows Bot Defense to discover all application endpoints – API, web, mobile – protecting them from automated attacks. Our unique approach to detecting and preventing automated attacks eliminates application instrumentation and mobile SDK penalties that may result in application deployment delays, security gaps and user dissatisfaction. An added benefit is consistent protection against all manner of automated attacks – ATO, fake account creation, content scraping and more –  regardless of which application channel is being attacked.

Learn more:

1) Gartner, API Security: What You Need to Do to Protect Your APIs, August 2019

 

Tags

API Security

About the Author

Matt Keil

Matt Keil

Director of Product Marketing

Resources

Browse our library of datasheets, research reports, blogs, and archived webinars to learn more about our Application Security Platform.

27 March 2020

Bulletproof Proxies: The Evolving Cybercriminal Infrastructure

Read Now
29 March 2020

Zoosk: Preventing ATOs and Romance Fraud

Read Now

Subscribe to our blog