The Current State of API Security
With the rapid development of the Internet and the maturity of technology, people have begun to pay attention to technical security issues while enjoying the convenience brought by technology.
In recent years, the application market has become the favorite of major Internet platform companies. Facebook, Twitter, Sina Weibo, WeChat official account, Douyin, etc. have all used this model, that is, to establish a cooperation between the platform and third-party developers. A win-win mechanism, the platform side allows third parties to call data to develop applications and deploy them on the platform, thereby enriching the content of the platform and increasing user stickiness, while the third party realizes drainage and monetization by providing high-quality content or programs. Although multi-product interaction enriches users' usage scenarios and ease of use, it also creates hidden dangers for privacy protection.
Salt Security is an API security company that provides an API protection platform to prevent attacks that uses machine learning and AI to automatically and continuously identify and protect APIs.
According to Salt Security's 2022 API Security Survey data, among more than 250 respondents:
95% said they had experienced an API security incident in the past 12 months;
Only 11% of respondents said they were using an API security strategy that included dedicated API testing and protection;
When asked about their biggest concern about their company's API plans, 40% of respondents highlighted security breaches as their top concern;
40% of respondents are struggling with APIs that change at least weekly, and 9% say their APIs change daily.
According to relevant statistics from Salt customers, 94% of API attacks occur on authenticated APIs. From the interviews above and feedback from customer data, the vast majority of companies have experienced API security incidents, yet only 11% of companies have an API security strategy that includes dedicated API testing and protection.
Therefore, for a company, what level of security defense should it build to defend against most security attacks?
The above question is not a problem that only existed after the Internet, but in the thousands of years of human war history, various countries have been exploring and practicing various defense strategies and fortifications. These experiences and ideas are also applicable to network security field. For example: WAF is for city walls, identity authentication is for soldier symbols, and honeypot is for straw boats to borrow arrows.
Among these war strategies, defense in depth is one of the effective ways.
what is defense in depth
Defense-in-Depth (DiD for short) is a multi-layer, three-dimensional security line of defense. Its working principle is to provide different types of protection on each line of defense, so as to become the best means to prevent attacks. These lines of defense can prevent different types of security issues and cover multiple domains in all directions.
At present, defense in depth can be roughly divided into the following three different lines of defense in terms of depth.
boundary
Border defense is the most basic and common type of defense. Almost all companies will invest in border defense, such as WAF. Defend against known attack methods and security vulnerabilities through regular expressions, IP blacklists, etc.
Most of the so-called attacks are initiated by "script kiddies". They do not have strong technical capabilities and hacker thinking, and can only conduct tentative attacks on targets in batches through some scripts and tools. At this time, border defense can well resist these indiscriminate attacks.
Although from a technical point of view, WAF does not have a particularly high technical content, but it has always been one of the necessary defense methods and is deployed at the outermost layer of defense.
In addition to WAF, there are some security defense tools specifically for Bots. Using Bots to carry out "credential stuffing" attacks is a common means of stealing high-value digital assets such as accounts. The general attack method is mainly by purchasing leaked email or password login information, and then log in to other websites in batches. In this case, the most effective way to defend is to identify the Bot and then intercept all requests made by the Bot.
The basic principle of bot interception is that the device is connected in series between the server and the access end in the form of a middleman. When the server returns a response page, the device inserts JavaScript into the returned page, requiring the access end (browser or hacker tool) to execute JS And calculate the relevant Token and put it in the cookie and return it. After receiving the Token, the device will judge whether the other party is a hacking tool and take corresponding actions.
These products can also encrypt specified content in the page, such as the URL or form content in the page. Theoretically speaking, this level of encryption should not be difficult for a "firm-willed" cryptography enthusiast (because a perfect key establishment mechanism has not been implemented between the client and the server), but against those skilled penetration tools Users are enough.
In a conventional enterprise server architecture, components such as WAF, SSL gateway, traffic gateway, and API gateway are all upstream and downstream in series. These components can be deployed separately or combined into a unified basic component.
At the API gateway level, we take Apache APISIX as an example. APISIX also provides some common capabilities in border defense, such as IP blacklist and whitelist, WAF rule engine, fault injection, traffic and speed limit, etc. When these capabilities are combined, the gateway can be used to block most indiscriminate security attacks.
to observe
In the security field, the most frightening thing is not that a security incident has been discovered, but that a security incident has never been discovered. The latter means that your business may have been compromised many times without realizing it.
Perceiving security risks and being able to conduct continuous observation is the most important step in combating " purposeful attacks ". After hackers break through the outermost perimeter defense, we need observability capabilities to identify potential malicious attack traffic.
At the observation and defense level, common methods include honeypots, IDS, NTA, NDR, APT (Advanced Persistent Threat) advanced persistent threat detection, threat intelligence, etc.
Among them, the honeypot is one of the methods with the longest history. It sets traps for malicious attackers by imitating some high-value targets, and then analyzes the attack behavior and even locates the attackers. However, APT detection and some machine learning methods are not easy to evaluate the effect intuitively. Because in a real production environment, the effect of machine learning will not be very good, because in terms of security, machine learning will still cause false positives.
Therefore, for most enterprise users, it is enough to do a good job in log collection and analysis, behavior tracing and electronic evidence, and timely detection of abnormal behavior at this level.
Going back to the API gateway level, APISIX can do more things from the perspective of observability.
First of all, it can perform log data and statistics such as Tracing, Logging, and Metrics. By locating each request, it can trace the source, record logs to adjust security policies, and mark abnormal traffic or parameters. In APISIX, other observability components, such as SkyWalking and Datadog, are mainly connected on the four-layer and seven-layer protocols.
Secondly, honeypots and high-value targets can be simulated through the arrangement of plug-ins to confuse attackers. For example, through APISIX workflow plug-ins, very precise control can be performed at the flow level. For example, execute a certain behavior when condition A is true, execute another behavior when condition B is true, and so on. Through this clearer method, users can more conveniently schedule various business traffic at the gateway level and respond in a timely manner.
Of course, the function of traffic mirroring can also be used to send some requests to parallel or serial security detection devices for quick security judgments to block attacks. Say something like detecting ABT attacks, it might be slower. Then if you use the gateway to mirror these API traffic to a secure device for analysis, and then import the data back after the analysis.
identity
When the attacker breaks through the outer double defense line and enters the internal network, it is time for identity authentication and access control to play a role.
The scenario of this defense method is similar to that where people swipe their ID cards to enter the station at airports and train stations, or scan codes to register at shopping malls and office buildings. Without the corresponding identity and authority, it is impossible to enter the corresponding system.
This layer of defense mainly reflects the basic security skills of the enterprise's business, and also reflects the information technology strength of an enterprise. The internal systems of many companies do not have sound identification and authority control systems, because the establishment of these systems requires long-term and continuous investment.
From the essence of security, the third line of defense is the most important. Because of the support of border protection and security threat observation, it is to a large extent helping the third line of defense. The security defense of borders and observations is the balance of input-output ratio, the balance between false positives and false positives, so there must be fish that slip through the net and enter the door of the intranet application system.
This line of defense is also where API gateways come into play. Take APISIX as an example, such as:
Realize docking with various identity authentication methods such as JWT and Key Auth;
Realize docking with various identity authentication systems such as Okta and Auth 2.0;
TLS and mTLS encryption of traffic via APISIX;
Connect with key management services such as Vault and KMS, and support automatic key rotation;
National secret support.
If the above angles are realized, the API gateway can improve the security level of your API and microservice fields.
The several layers of defense measures described above require the cooperation of multiple departments and multiple tools to effectively block security attacks. Of course, these multi-layered defenses can be defended with some configurations at the API gateway level.
So, is there a more effective way, the so-called "silver bullet", to solve all security problems?
Security Policy From "Black and White" to "Black and White"
The security community has been thinking about this issue. Most of the security defense and detection methods are to find a small number of security threats in the massive data. This operation is tantamount to finding a needle in a haystack, and there will inevitably be false positives and false negatives.
If we change our way of thinking and change "finding the bad guys" to "identifying the good guys", won't it be another village?
More than ten years ago, some antivirus software companies started to make such an attempt. Their starting point was as follows: since the Windows system and commonly used software are fixed, we will add these software to the white list, and others can be I will identify the programs one by one after executing them. Isn’t the rest just viruses? In this case, any new virus cannot escape the eyes of the anti-virus software. This plan is quite idealistic. It took four or five years from idea to implementation, but it is not an absolute "black and white", but hierarchical management.
In the world of network security and API security, the "black and white" mentality is even more applicable. For example, if a company provides a payment API interface to the outside world, a Token is required to access it. If there is no Token or Token error access, it must be a malicious request and needs to be rejected directly.
Ideally, all APIs should have similar authentication and access controls, and only those who have passed the authentication can be accessed. Although this cannot prevent "inner ghosts", social engineering and 0-Day attacks, it will greatly increase the threshold and difficulty for attackers, make the cost of attacks very high, and make "indiscriminate" attacks impossible.
For attackers, when the ROI (input-output ratio) becomes unreasonable, they will immediately turn their guns and look for other targets that are easy to attack.
Based on the basic ideas of "defense in depth" and "black or white", a security framework of "zero trust" has gradually been developed, hoping to solve the problem of network security once and for all.
Is Zero Trust the Panacea for API Security?
What is Zero Trust? The one-sentence explanation is: there is no trustworthy terminal in the system, so it is necessary to verify the identity everywhere.
Whether it is an external request or an internal access, whether it is a bastion machine, a springboard machine, a mobile phone or a PC, whether it is an ordinary employee, supervisor or CEO, it is assumed that it can be breached and cannot be trusted, and must pass identity authentication to access the corresponding Systems and APIs.
In addition to the trouble of verifying identity everywhere, it seems that there is no loophole. So is zero trust the killer feature of cybersecurity? The answer is: No, this kind of solution is currently the status quo of "the ideal is very full, but the reality is very skinny".
Zero trust is a comprehensive security framework and strategy. From terminals, BYOD, servers, APIs, microservices, data storage to various internal services and systems, all need to be transformed, and a strict and unified identity authentication system must be added. You can think of zero trust as a safety air cushion. Once there is a leak in one place, the entire air cushion is useless.
Implementing zero trust is difficult. You can imagine by analogy: in transportation hubs such as airports and high-speed rails, the cost of adding identification equipment, time and money is high.
In large enterprises, there are usually hundreds of systems, tens of thousands of APIs and microservices, or hundreds of thousands of terminals. Services of these scales require great courage and cost to build a complete zero trust system . Therefore, the current zero trust solution is more implemented in the government, military industry and some large enterprises.
Of course, that's not to say zero-trust solutions aren't useful. For most enterprises, it is a wiser choice to build a security defense system with higher ROI by learning from the idea of the zero trust solution.
At present, the core components of the zero trust system mainly include the following two types:
Unified Identity Authentication IAM (Identity and Access Management)
API Gateway Infused with Security Features
When there are two basic components, IAM and API gateway, the implementation of the zero trust solution can be better promoted. At the same time, with the division of relevant security levels, the control plane and data plane are separated at the API gateway level, identity and authority services are built, and unified management of traffic is finally realized.
However, it should be noted that zero-trust solutions are not perfect, and zero-day attacks and social engineering attacks are still undefendable by zero-trust solutions.
Summarize
Security is an infinite game, and attackers always hope to find more ROI means to obtain high-value digital assets, or to achieve the purpose of destruction. For enterprises in the open, how to avoid attackers' open and hidden arrows is not enough to rely on defense alone. It is also necessary to improve developers' security awareness, shift security to the left, and minimize the exposure of attack surfaces.
More high-quality article recommendations:
Talking about the resignation advice of an Ali P7 employee
What is Web 3.0 that we often hear about?
A new version of a divine book with a score of 9.3 on Douban