Application Programming Interfaces (APIs) are an intermediary framework that enable applications to communicate and exchange data with one another. As a backbone of the modern web, software companies build and deploy APIs to do everything from displaying social media content to allowing partners to utilize transaction data. By design, APIs are meant to make it easy to transport valuable data wherever it needs to go.
But APIs can also be subject to abuse and misuse by attackers given their proximity to valuable information, making them an easy target for malicious actors to exploit. If an API is orchestrated insecurely, sensitive data is left exposed and can be harvested for nefarious purposes. For example, in 2018, Salesforce potentially left customer data exposed to the public due to an API error.
Signal Sciences Defends APIs
According to Gartner, APIs will be the most frequently attacked vector for enterprise web application data breaches by 2022. Signal Sciences next-generation WAF gives enterprises an API defense strategy that is both powerful and flexible against changing threats at the application layer.
Here are a few examples of API abuse exploits that Signal Sciences protects against:
Account Takeover (a.k.a “Credential Stuffing”)
Attackers use known lists of compromised credentials from common password lists and breach data dumps to try to gain access to customer accounts by leveraging the credentials through authentication APIs. One of our large enterprise customers leverages Signal Sciences to mitigate ATO attacks via their API and customer-facing website. Using templated rules they monitor attempts for brute forcing accounts via their API. They augment this by tracking common botnet user agent strings to help determine if an attempt is malicious or not.
Malicious automation and bots are used to perform content scraping, tie up system resources, perform account brute forcing, and other actions. Signal Sciences enables customers to stop such bot abuse with an advanced rate-limiting rule for API endpoints.
Sensitive API Abuse Targeting
Attackers attempt to manipulate sensitive APIs such as gift card and credit card validation in attempts to validate stolen credit cards, perform ecommerce gift card fraud, or obtain patient healthcare records. For example, one Signal Sciences customer sees and stops attempts to compromise their API via injection attacks or enumeration in order to get acquire gift cards.
Learn More About API Security for Your Web Apps
APIs have become a business-critical component for software companies of any size, and insecure APIs can pose a significant threat to customer and partner data. Signal Sciences gives enterprises the protection and visibility to stop these attacks and more, no matter how you deploy your APIs.