Akamai Diversity

The Akamai Blog

Enhancing API Protection in Web Application Protector

by Volker Tegtmeyer and Hans Cathcart

Are your APIs protected? Do you feel your business data is safe?

Application Programming Interfaces (API) are a great tool for developers to build new applications faster. They're great for helping businesses implement and evolve new business models faster by enabling different software programs to talk to each other quickly. They're also a great way for growing mobile applications to get information in front of consumers. But at the same time, APIs are a growing target for hackers, who can use them as an open door to your business's "crown jewels".

That's because APIs provide granular access and transparency into your business's infrastructure, which can create huge security risks without proper protection. It's a common misconception that only your authorized apps and developers will use your APIs. Attackers will actually use your APIs outside of these apps to exploit weaknesses in your backend infrastructure.

Think of there being two doors into your infrastructure. Attackers have opened the first door by targeting servers and databases through website attacks. And now, they're pivoting to the second door -- APIs -- to launch the same type of attacks.

Over the last year we have seen an increase of 60% in API calls on the Akamai platform.

Our customers have been protecting their APIs using our flagship product Kona Site Defender, which provides a sophisticated positive security model for APIs. Kona Site Defender provides our team with large amounts of existing data into how customers are building their APIs and the types of traffic they're seeing, allowing us to design better protections right off the bat.

And now we're making API protection even simpler for our customers.

Web Application Protector is best known for providing highly automated protection for web applications, as well as API protection capabilities that include rate control, geo blocking, and IP blacklists. Now, we've taken automation a step further by expanding the protection groups to also inspect the API request body in JSON and XML format -- by default. Automation simplifies operational process for security teams and organizations, allowing them to expand protection to more sites.

Now, Web Application Protector can provide you with several layers of API protection:

·      Network layer protection through geo blocking and IP blacklists

·      DDoS protection through rate controls

·      JSON and XML exploit protection through new WAF rule inspections

These rules are automatically updated (and will be also available in Kona Site Defender). There are no operational requirements. Akamai does the work for you.

Interested in trying it out? Sign up here for a free trial.

For security teams who want to implement additional layers of protection, check out these solutions:

  • API Gateway, which takes care of the business management and governance of your API traffic. Read more about it here.

  • WAP customers can upgrade to Kona Site Defender, which now provides the same automated rule set plus a positive security model for APIs.

  • Kona Site Defender can be further enhanced with Client Reputation to provide additional information on suspicious IP client behavior.

  • Bot Manager Premier, which supports security teams managing exponentially growing bot traffic.

More information can be found in our whitepaper "Top API Security Strategies".

With Akamai Edge Security, you stay in full control of your security implementation. And now, our automated rules make your day-to-day jobs easier than ever.

Stay safe and enjoy your time off!

Leave a comment