APIs have become the crown jewels of organizations’ digital transformation initiatives, empowering employees, partners, customers, and other stakeholders to access applications, data, and business functionality across their digital ecosystem. So, it’s no wonder that hackers have increased their waves of attacks against these critical enterprise assets.

Unfortunately, it looks like the problem will only worsen. Gartner has predicted that, “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”

Many enterprises have responded by implementing API management solutions that provide mechanisms, such as authentication, authorization, and throttling. These are must-have capabilities for controlling who accesses APIs across the API ecosystem—and how often. However, in building their internal and external API strategies, organizations also need to address the growth of more sophisticated attacks on APIs by implementing dynamic, artificial intelligence (AI) driven security.

This article examines API management and security tools that organizations should incorporate to ensure security, integrity, and availability across their API ecosystems.

Rule-based and policy-based security measures

Rule-based and policy-based security checks, which can be performed in a static or dynamic manner, are mandatory parts of any API management solution. API gateways serve as the main entry point for API access and therefore typically handle policy enforcement by inspecting incoming requests against policies and rules related to security, rate limits, throttling, etc. Let’s look closer at some static and dynamic security checks to see the additional value they bring.

Static security checks

Static security checks do not depend on the request volume or any previous request data, since they usually validate message data against a predefined set of rules or policies. Different static security scans are performed in gateways to block SQL injection, cohesive parsing attacks, entity expansion attacks, and schema poisoning, among others.

Source link