As organizations extend their business-critical applications into cloud environments, the attack surface they're defending evolves. At one point, organizations' primary concern was maintaining a well-defined network perimeter; however, in today's world, organizations are likely dealing with multiple public clouds in addition to a private data center footprint, and applications. This presents an attack surface to the public Internet that looks very different from what organizations had been used to years ago. A case in point: the APIs used by modern web applications.
Web applications today don't just send HTML content to a browser for display — they expose APIs that enable clients to deliver a rich application experience to end users. That client doesn't even have to be a web browser anymore — it could also be a mobile application or even B2B communication with no intention that the information is ever displayed to a human user. APIs are powerful tools for delivering critical line-of-business capabilities, but they also create a new attack surface that you can't afford to overlook. And complicating the issue even further, a traditional WAF (Web Application Firewall) solution that protects against the typical OWASP Top 10 attacks (e.g., SQL injection, cross-site scripting, et al.) is no longer sufficient. When you deploy a web application and expose APIs that access critical information to the Internet, you need a modern Web Application and API Protection (WAAP) solution that provides protection across your entire attack surface.
Your Cloud Security Strategy Should Include API Protection
Granted, there are ways to address some of these API security concerns within the application itself. You can certainly implement controls within applications that can mitigate some of the risk of having your APIs exposed to malicious actors. These include validating inputs, implementing rate limits, and controlling access to the API using API keys or other restrictions — these are all valid tools. And you will find many of these solutions included in many open source and commercial off the shelf (COTS) web applications that you may be using as building blocks for creating, deploying, and maintaining the new web applications you use to meet your business needs.
But that might not be the best place to implement such controls. Relying on applications (and application developers) to provide their own security can be risky in its own way. Application developers are typically evaluated on feature delivery, uptime, and other metrics. Ideally, security is somewhere on their list, but in practice, consistently making security a top priority is a challenge, especially when a DevOps team may not have extensive cybersecurity skills. Even when a development team does focus on application security, having multiple application teams implementing their own approach to application security can leave your security team in the dark. Without a clear view of security events across all of your web applications, you are exposing your applications — and your organization — to unnecessary and serious risk.
Use a Platform Approach to Ensure Security Across Multiple Environments
Piecemeal security solutions fragment visibility, limiting threat detection as well as complicating a unified response to threats once they are discovered. So, in addition to implementing the right kind of security in cloud environments, there also needs to be a way to ensure that policies are deployed and enforced universally, both in and outside of the cloud. All configurations everywhere need to be able to be centrally applied, tested, and updated. And all threat intelligence needs to be centrally seen and correlated so threats can be identified, and a universal response can be automatically initiated.
The only way to do this is through the use of a security platform that includes WAAP functionality combined with a common management, analysis, and orchestration interface. And to effectively secure application APIs, that universal security platform needs to be deployed to every corner of the network, including on-premises and public cloud environments — anywhere that applications are being developed, deployed, and managed.
That platform should also include the ability to block threats using a WAF or other API gateway. This provides an additional layer of security, but it will only be used if that layer can be managed, monitored, and maintained by your security team directly without interfering with the other priorities driving application development. Blocking threats before they even reach your application also preserves application resources that would otherwise be used in detecting invalid or malicious connections.
Securing Your APIs
FortiWeb and FortiWeb Cloud solutions, part of the Fortinet security fabric platform, provide the exact security capabilities any organization needs to secure their web application APIs. They enable organizations to deploy a positive security model for their API definitions (JSON, XML, OpenAPI) by validating input before it ever reaches the application. They also enable IT teams to centrally manage API keys to restrict access to the most critical APIs to authorized external users, implement rate limiting, and even protect applications against DDoS attacks.
With FortiWeb in place, with its advanced WAAP functionality, security teams will have the right tools in place, and deployed everywhere and anywhere they are needed to help application teams quickly and securely deliver the API-based functionality businesses need.
See how easy it is to secure your APIs and web applications with FortiWeb Cloud with a free trial available through the AWS, Azure, and Google Marketplaces.
About the Author
Brian Schwarz is Director of Product Marketing for Application Security at Fortinet. With over 20 years of experience working with networking and security solutions for the enterprise, Brian currently focuses on Fortinet's Web application and API security solutions. Previously, Brian has held a variety of positions spanning product marketing, product management, technical marketing, and technical training for leading industry vendors.