In a recent cloud WAF hacking, many customers were alarmed when private API keys, salted passwords, and SSL certificates were revealed to have been compromised.
It’s clear from this specific hacking incident that the appropriate steps were not taken to protect customers’ data. One proper security measure that was overlooked was API security.
API security is concerned with the transfer of data connected to the internet, which means broken, exposed, or hacked APIs can lead to breaches.
For a cloud WAF, they are essential for the integration of the WAF service into the client’s servers. This blog post will delve deeper into what API security means for cloud WAFs and how you can secure your APIs for WAFs.
Encrypt your API keys.
Keys are central to API security. API keys are essentially long strings that uniquely identify an application and allow two applications to communicate over the internet.
For WAF vendors and customers, securing these keys can mitigate threats such as man-in-the-middle (MITM) attacks (which alter communications of API messages between two parties) by preventing the interception of site traffic.
However, this can be protected with SSL. By securing all of your webpages using SSL (which encrypts transmitted data) your data sent via web APIs will also be encrypted.
This is crucial because APIs sometimes contain sensitive information (e.g. email, card information); with encryption, you can thwart off hackers who are trying to intercept your communications.
Authenticate users that utilize the API keys.
If an API key is not authenticated, there’s no guarantee that the user “calling” the API is the one you intended to issue the WAF API key. By determining the identity of the user, authentication can help reduce the misuse of the system by preventing too many API requests from one user.
While basic authentication can be implemented using SSL, there are more secure alternatives to authenticate users when using WAF APIs.
These include OAuth 2 and OpenID Connect, two popular industry standards for authentication.
Some WAFs also offer API tokens that support two-factor authentication. For example, a one-time password can be generated to quickly identify your intended recipient.
Consider using a secure API Gateway.
If properly secured, API gateways can add an added layer of protection. However, many API gateway technologies are designed for integration, and not necessarily designed with security in mind.
These API products simply provide access control, which is not enough to properly APIs from external threats.
However, API security is much more than access control. Because API gateways also handle traffic management, you might be concerned about data leakage and data integrity.
Luckily, WAFs are commonly used to secure API platforms, as they are able to prevent common web exploits misuse and exploitation. A WAF can also help mitigate application-layer DDoS attacks.
Threats posed by vulnerable APIs, including those affecting WAFs, are ever-growing. In fact, 9 of the top 10 vulnerabilities mentioned by the latest OWASP Top 10 now note APIs.
Yet, API security remains overlooked in information security today. This is because API vulnerabilities are not easy to detect without specialized technology.
WAFs are one way to make sure API platforms are secured, and for securing the actual WAF API keys, encryption and authentication will come in handy.
As threats evolve and organizations become more aware of the threats that vulnerable APIs pose, it’s clear API security will gain more traction in not just the WAF arena but other cloud services as well.