APIs have become a dominant mechanism in the modern web, allowing organizations to create powerful web and mobile experiences, while exposing back-end data and logic to create new and innovative offerings. Protecting internet-facing APIs -- an emerging practice over the past few years -- is the default requirement for web application security in 2020 and beyond.
Why focus on APIs?
Monolithic web applications have given way to individual microservices which, coupled together, form the experience delivered to the end user online. APIs allow for these microservices to communicate with each other and the user interface (UI) to deliver desired functionality.
For example, in a typical web or mobile online retail site, different functions like account creation, user login, password reset, product catalog, personalized recommendation, shopping cart, and checkout/payment are microservices that perform specific functions. The use of microservices increases the attack surface multifold, with each providing an opportunity for attackers to exploit software vulnerabilities, business logic, and availability if not properly secured.
Akamai has seen the explosion of API calls firsthand, now representing more than 83% of the web traffic delivered on our platform. Securing APIs requires solutions that are tailored to deal with deep API message inspection, API specification management, authentication and authorization, and anti-automation.
Visibility is the first step
Reducing the API attack surface begins with understanding which are the API endpoints in your environment, their functions, and their traffic profiles. Akamai's API Discovery and Profiling capability does just that and more, automatically and continuously.
This capability discovers APIs every 24 hours based on a scoring mechanism that takes into account response content type, path characteristics, and traffic patterns. The discovery data includes information on the observed API specification with details like:
- Resource path
- Parameters and their data type
- Format of the API
Base and resource paths are determined based on an algorithm that takes into account path depth, children count, and siblings from the observed traffic on a specific hostname with API traffic. Within the resource path, if a parameter is observed for a specific method, it is marked, and the data type of that parameter is identified.
The traffic profile for the API endpoints contains information that gives insight into the API's purpose and current threat level. Some of the data points included are:
- Total requests since the API was first discovered, in the past 24 hours, and trending over time
- Date the API was first discovered and last seen
- Number of requests across different methods like GET, PUT, POST, DELETE, and OPTIONS
- Number of requests generating 2xx, 3xx, 4xx, and 5xx responses
- End-client identification based on user agent
- Response errors such as the percentage of traffic resulting in client- and server-side errors
- Hits from known bad actors including the percentage of total traffic coming from known bad actors to the Akamai platform split by web attackers, web scanners, scrapers, and denial-of-service (DoS) attackers
Discovered APIs with traffic profile overview
API resources under a basepath
The UI provides an easy one-click workflow to register the newly discovered API or resource for an already registered API. The API can then be protected against injection, credential abuse, brute force, and DoS attacks, and the API specification is enforced at the Akamai edge.
The UI provides flexible options to quickly find specific endpoints by sorting, filtering, or just a simple text search. The raw data can also be exported in CSV format to be shared with different teams or ingested into other tooling for processing.
Insights from visibility
We looked at API discovery results across 100 enterprise customers from financial services, retail, media, and entertainment industries. Following were the highlights:
- 274,000 unique resources discovered
- 744 billion calls observed in a 30-day period across those resources
- 130 average number of endpoints per customer related to login and account functionality
- 125 average number of endpoints per customer belonging to lower environments like Dev, QA, and UAT
- 12% average number of API calls from known bad actors for web attacks, scraping, scanning, and DoS
- 6% API calls on average per resource resulted in either client- or server-side error responses
- 25% of API calls came from end clients that were not identified as a browser or mobile device/application
- JSON was by far the most dominant API format observed
What can API discovery and profiling do for you?
With the visibility provided by API discovery, our customers were able to discern:
- Sensitive transactional endpoints like login, password reset, account registration, money transfer, tax documents, account profile, shopping cart, and payment susceptible to credential abuse and vulnerability attacks
- Lower environments exposed to the internet, such as Dev, QA, UAT, and internal API endpoints
- Which API endpoints are hit most by known bad actors, requiring prioritized protection
- The API endpoints with the most error responses, signaling misconfigured API clients and possible brute force or credential abuse attacks
- Production endpoints receiving very low amounts of traffic, indicating decommissioned or old endpoints with exposure to the internet
- Whether web/mobile endpoints are getting called by clients that are not browsers or mobile devices
Comprehensive API protection
Protecting APIs can be a significant hurdle if you lack visibility. How can you protect what you can't see? Visibility is the first step in protecting your application, infrastructure, and end-user data. With Akamai, you can automatically and continuously discover and profile APIs, including their endpoints, definitions, and resource and traffic characteristics. Akamai's cloud- and origin-agnostic approach allows for easy discovery across your entire application estate without any additional configuration required by the end user. This visibility enables developers, application owners, and security teams to stay ahead of new, unknown, or changing APIs and easily register them for protection. Once APIs are identified, Akamai provides broad protection to deal with DoS, malicious injection, credential abuse attacks, and API specification violations.
There will be more opportunities to engage with us on this and more at Edge Live | Adapt. Sign up to see how customers are leveraging these improvements, engage in technical deep dives, and hear from our executives how Akamai is evolving for the future.