Preventing API Abuse

APIs bring the advantages of ease of use and flexibility to the attacker community, allowing them to easily execute account takeovers, credential stuffing, fake account creation or content scraping. Navigating the API security landscape can be confusing – critical capabilities include visibility, protection from automated attacks and vulnerability exploits.

API Abuse - 90% of web-enabled apps will have more surface area for attack

API Abuse and Financial Fraud

An example of an API-based attack against a financial services mobile application, bad actors decompiled the mobile application to (1) discover the account login APIs. An automated attack was then executed against the login API (2) and if successful the bad actors attempted to commit financial fraud by transferring funds (3) across the Open Funds Transfer (OFX) API.

API Attack

Enumeration and Snooping Attack

Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting. Other examples would be using automation to discover valid gift cards, or shipping confirmations.

Enumeration and Snooping Attack

Alternative Approaches to API Security

Researching API security can be confusing with four distinct solution groups, each addressing specific challenges.

  • API Gateways: Do not provide continuous monitoring and policy control for protection from automated attacks.
  • WAFs: Lack native API understanding, focusing primarily on vulnerability checks and lack automated attack protection.
  • Traffic Management: Service mesh and ingress controllers lack visibility and policy protection for security teams.
  • API Security Specialist Products: Tactical in nature, not comprehensive in breadth or depth.

In many cases, customers will use multiple offerings from the mix of API security providers.

Existing API Approaches

API Security Differentiators

Agentless, ML-based approach helps you decrease your API attack surface and prevent automated bot attacks and API abuse with speed.

Automatically Discover Patterns of Misuse and Fraud

CQAI and Bot Defense automatically discover API-based endpoints for web and mobile applications, building an intuitive site map for visibility and policy-based protection. JavaScript and mobile SDK-based instrumentation cannot be implemented consistently on APIs, exposing security gaps.

Open, Extensible Platform

Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each API transaction request. The REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.

Customizable Detection and Response

Using over 150 customizable automation indicators, CQAI determines the intent of each transaction request. Customizable mitigation policies provide multiple response options (block, rate limit, geo fence, deception). Deception sends a custom response to the attacker to prevent attack retooling.

New APIs Protected Automatically, Delays Eliminated

As new APIs and public-facing applications are deployed, they are automatically discovered and protected, effectively baking security into your application deployment workflow.

Consistent Protections for Web Apps and APIs

Bot Defense uses a single, consistent security policy to protect your API and web applications so you can unify protection for your public-facing applications and defend against API abuse.

Container-Based Architecture for Greater Flexibility

A container-based software architecture allows Bot Defense to be deployed in your data center, the cloud or as a SaaS offering, so you to choose the architecture that best fits your needs.

Protect your APIs from Automated Attacks and Abuse

Eliminate application security gaps by protecting APIs and web applications from automated attacks and vulnerability exploits with a consistent security policy.

Check Mark

Rapid Discovery and Identification of APIs

Deep behavioral analysis of the user intent by CQAI means fraudulent API activity is detected more quickly and consistently than competitive offerings. More rapid discovery translates into reduced incident response time.

Check Mark

Enhance Security Effectiveness

Customizable automation indicators and responses enable you to fine tune and maximize attack prevention policies to eliminate fraud associated with scraping.

Check Mark

Tight Security Ecosystem Integration

With REST APIs and an open architecture, you can ensure information is shared between third party sites and other IT infrastructure like SIEMs and SOC systems.

Our Customers

Every day, Cequence Security analyzes and protects billions of application transactions for customers in the financial services, retail, and social media industries.

HP-11
lbrands
ulta

Resources

Browse our library of datasheets, research reports, blogs, and archived webinars to learn more about our Application Security Platform.

Research Reports
Bulletproof Proxies: The Evolving Cybercriminal Infrastructure

This report maps attack patterns observed within the Cequence Security customer base to one of the leading Bulletproof Proxy providers.

View Report
Webinars
Preventing Fraud Caused by Account Takeovers

Organizations are plagued by automated attacks such as account takeovers and fake account creation. Learn how these attacks work, how the attackers hide in plain sight, and innovative strategies for catching malicious bots.

View Now
Case Studies
Zoosk: Preventing ATOs and Romance Fraud

Discover how Zoosk eliminated romance fraud by preventing ATOs targeting the mobile APIs.

Read More

Bot Defense SaaS Free Trial

Start preventing fraud caused by account takeovers and API business logic abuse now.

Bot Defense SaaS