COMMENTARY: As the tech stack has evolved from traditional, on-premises systems to cloud-native environments, APIs have grown to be the connective fiber that enables much of the modern application infrastructure. However, their essential role makes them prime targets for attackers. Securing APIs is a complex task that requires multiple tools—each offering distinct, complementary functionalities. But with the expanding API security landscape, it’s easy for MSSP customers to feel overwhelmed by the range of available options and look for guidance from their managed security providers. In this article, we’ll break down the key categories of API security tools that an MSSP might provide to their customers: API gateways, web application firewalls (WAFs), and dedicated API protection solutions.
Understanding the API Threat Landscape
As a managed security service provider (MSSP), you’re responsible for keeping up on the threat landscape, and APIs are increasingly targeted in attacks. The results are more data breaches, denial-of-service (DoS) attacks, and malicious abuse related to APIs across industries. According to the Wallarm Q3 2024 API ThreatStats Report, there has been a 21% increase in API vulnerabilities since last quarter. With a large portion of these vulnerabilities tied to cloud-native systems, it’s clear that APIs are an attractive target for cybercriminals, especially as organizations migrate operations to the cloud.
Moreover, API breaches often expose entire datasets rather than isolated records, amplifying their impact. Misconfigurations, particularly on the client side, have led to numerous breaches, with some recent incidents stemming from vulnerabilities not covered by the OWASP API Top 10. For MSSPs supporting organizations across sectors, this data underscores the importance of providing comprehensive, proactive API security.
The Confusing Landscape of API Security Tools
Despite the clear need for robust API security, the tool landscape can be perplexing. Numerous tools claim to secure APIs, but they don’t all provide the same level of protection or cover the same functions. MSSPs often face the challenge of navigating overlapping terms and marketing promises to find the right combination for each customer organization’s needs.
Three primary categories of tools support API security, and while they all play a role, each serves a different purpose. This article will break down the core capabilities of each: API gateways, web application firewalls (WAFs), and API protection tools. Understanding what each does—and doesn’t do—is essential to crafting a strong API security strategy to protect an MSSP's customers.
API Gateways: A Centralized Entry Point with Basic Security Features
API gateways are often considered the first line of defense for API security, and this makes sense, given that they act as a centralized entry point, managing and routing API traffic between clients and backend systems. However, API gateways are primarily focused on performance, and while they offer some basic security functions, they also have some gaps. When considering the deployment of an API gateway, MSSPs should expect it to provide these security functions:
- User and application authentication: API gateways provide various methods, including OAuth and mTLS, to verify identities accessing the APIs.
- Access control: With mechanisms like JWT scopes and access control lists (ACLs), API gateways can enforce permissions, limiting access to authorized users.
- Rate limiting: By controlling traffic volume, rate limiting prevents excessive requests, mitigating DoS risks.
- Encryption: Gateways support TLS encryption, securing data in transit and providing mutual authentication between servers.
While essential, API gateways alone cannot address all API security needs. They lack advanced capabilities for detecting and mitigating sophisticated attacks, such as API-specific injection or broken authentication. Relying solely on a gateway would leave APIs exposed to more advanced threats that require deeper inspection and specialized security features.
Web Application Firewalls (WAFs): Built for Web Applications
Traditionally, web application firewalls (WAFs) focus on protecting web applications from threats like SQL injection and cross-site scripting (XSS). With the rise of APIs, some WAFs have added basic API security capabilities. When considering a WAF, you should expect it to provide:
- Protection Against OWASP Top 10 Threats: Blocks common attacks like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) targeting web applications.
- Application Layer Defense: Inspects and filters HTTP/HTTPS traffic to prevent malicious payloads targeting web applications.
- DDoS Mitigation: Detects and blocks application-layer distributed denial-of-service (DDoS) attacks.
WAFs are generally considered a perimeter defense, excelling at protecting ingress traffic to a customer's internet-facing web applications. While WAFs have added API-specific protections, they still struggle to detect business logic flaws or more sophisticated API attacks. They excel in blocking common web-based attacks but aren’t equipped for the full range of API-specific threats, especially in dynamic, cloud-native environments. For these reasons, MSSPs should consider combining WAFs with dedicated API protection tools to ensure comprehensive coverage.
API Protection Tools: Advanced Threat Detection and Response for APIs
API protection tools offer a dedicated approach to API security, going beyond the basic capabilities of API gateways and WAFs. Their primary focus is on securing APIs throughout the full lifecycle, providing more advanced and targeted protections:
- Automated API Discovery: API protection tools detect new or changed endpoints, reducing the risk posed by shadow APIs that may be undocumented and unsecured.
- OWASP API Security Protection: By addressing the OWASP Top 10 API Security risks, API protection tools tackle threats like broken object-level authorization and injection attacks.
- Abuse Protection: These tools monitor for unusual behaviors, such as credential stuffing or excessive requests, blocking abusive actions that may evade standard rate limits.
- Security Testing and Vulnerability Detection: Many API protection tools perform ongoing security assessments, identifying misconfigurations and vulnerabilities in real-time.
One important distinction for MSSPs is that not all API protection tools can actively block threats. Some focus on detection and alerting, requiring integration with a WAF for actual threat blocking. However, solutions that offer real-time blocking are invaluable, as they can prevent attacks from reaching the API in the first place. For comprehensive security, organizations should seek API protection tools that not only detect threats but can also actively mitigate them when necessary.
Conclusion: Layered Security for Effective API Protection
With a rising number of API vulnerabilities, choosing the right combination of security tools is critical for effective API defense. API gateways, WAFs, and API protection tools each contribute unique strengths:
- API gateways centralize API traffic management, offer basic access control, and enable secure communication but are limited in detecting advanced threats.
- WAFs deliver traditional web application and DDoS protections, but may fall short in protecting APIs, especially from sophisticated attacks.
- API protection tools provide deep API-specific security across the API lifecycle, detecting threats that other tools may miss and, in some cases, offering direct blocking capabilities.
A layered approach that integrates these tools provides the most robust API security. MSSPs must understand each tool’s role and limitations, crafting solutions that align with the organization’s needs, whether in cloud-native, on-premises, or multi-cloud environments. Given today’s API threat environment, combining these tools ensures a more resilient, adaptable security posture that can safeguard APIs against evolving risks.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
