Shadow APIs - You Can't Defend What You Don't Know ExistsCequence Security's James Sherlow on New Defenses for API Business Logic Attacks
Shadow APIs are up 900%, and API business logic abuse attacks have come to the forefront and are demanding both discovery and defensive measures from cybersecurity organizations, said James Sherlow, director of solution engineering in EMEA at Cequence Security.
One example of the growing threat is API 6 on the OWASP API Top 10 Report 2023, Sherlow told ISMG. It includes bots and automated attacks previously described in API 8 but has been broadened to cover business logic abuse of APIs, which means the application is used as it was designed, such as to make an online purchase, but flaws in the business logic are abused for unintended outcomes. Each API is different; therefore, signature-based defenses are no longer useful.
Defenders also are seeing a huge increase in shadow APIs, including unknown, undocumented APIs and legacy or brand-new but published APIs without checks and guardrails. Other APIs expose extra information. Overall, 30% of attacks target shadow APIs, so companies need to focus on discovering them and bringing them into compliance, he said.
In this video interview with Information Security Media Group at Infosecurity Europe 2023, Sherlow discussed:
- The need for machine learning to have context awareness to protect APIs;
- Unique threats that are on the rise, especially fingerprint rotation;
- Using tracking or fake response rather than blocking to control the rate of attack.
Sherlow says his organization's mission is to transform application security by consolidating multiple innovative security functions within an open, AI-powered software platform. This intelligence-based software protects customers' web, mobile and API-based applications and supports today's cloud-native, container-based application architectures.