By standardising the front-end of software components, APIs (Application Programming Interfaces) are the preferred channel for inter-application exchanges and therefore play a central role in the architecture of distributed digital services. As entry points into systems, they also constitute an attack vector that is all the more vulnerable because they often remain outside the scope of traditional security solutions. Salt Security, an Israeli company based in Silicon Valley, targets this blind spot in cybersecurity by developing solutions exclusively dedicated to securing APIs.
Why are APIs a major security issue?
In 2022, Gartner estimated that APIs would become the dominant attack vector for cybercriminals. The figures published by Salt Security in the summer of 2022 as part of its API Security Watch seem to confirm this prediction: the editor notes a 117% increase in malicious traffic via APIs in one year and 94% of companies surveyed admit to having experienced a security incident with their APIs in production.
Allowing software components of various origins to communicate easily, APIs have experienced a meteoric rise in a few years to the point of becoming omnipresent in modern information systems. In 2016, the year Salt Security was born, Postman, which publishes an API management tool, counted less than 500,000 files created with its solution; in 2022, this figure will rise to 38 million! Like so many doors in increasingly interconnected systems, APIs also provide access, directly or indirectly, to increasingly sensitive systems.
Finally, to add to the complexity, APIs are generally created, modified or deleted at the accelerated pace of agile projects. According to the Salt Security Observatory, more than 40% of companies change their APIs at least once a week. Worse still, a large number of APIs are created or abandoned without IT departments being informed. In short, huge quantities, frequent changes, grey areas and sensitive data: APIs have all the ingredients for a dangerous security cocktail.
However, more than 6 out of 10 companies admit to not having a security strategy for their APIs, or only a summary policy. In particular, they blame their cybersecurity tools, which 82% consider to be ineffective in the face of possible attacks. Under these conditions, it is hardly surprising that attackers are rubbing their hands.
Why are WAFs (Web Application Firewalls) insufficient?
When the information system was a compact whole, located within the walls of the company and its data centre, it could be protected by erecting a barrier around it to control access from outside: the firewall. With the implosion of the IS into a constellation of components connected by the Internet, this is no longer possible. It was therefore envisaged to position the barriers at the level of each application: this is the principle of Web Application Firewalls (WAF). A WAF is a physical or virtual device placed upstream of the application, which analyses incoming traffic to detect the signature of known attack methods – SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. – and blocks access.
The problem is that hackers are now carrying out much more sophisticated attacks. Their offensives often start with harmless reconnaissance actions to identify weaknesses in each application to better target them and can last up to several weeks. This prevents them from taking more traditional routes, which would immediately lead to detection. They then have more time to act discreetly, whether to exfiltrate data or usurp rights in order to penetrate further into the information system.
How does Salt Security protect APIs?
The Salt Security platform protects APIs of all types (SOAP, REST, GraphQL), whether internal or external, throughout their lifecycle against attacks of all kinds (in particular those listed in the OWASP Top 10) and against vulnerabilities resulting from faulty implementations. Salt relies heavily on artificial intelligence (AI) and machine learning (ML) to address both the scale of the problem and the specificity of each attack.
By analysing data from within the company and from similar organisations, the solution automatically takes a complete inventory of the information system’s APIs (some customers discover up to 9 times more than they had previously counted), identifies data that may be exposed, analyses flows and anomalous behaviour upstream of the APIs to detect and block malicious actions, including approaching them, and tracks any corrective measures that may be required. Understanding the nature and sensitivity of data, API analysis and real-time alerts are the three capabilities that make Salt the preferred choice over a traditional WAF.
In April 2022, Salt Security announced that it had discovered a major API security flaw in a US fintech platform that could have compromised the systems of hundreds of banks and impacted millions of customers. This unique and innovative approach, which has been proven on a large scale, seems to be aimed at organisations that already have a certain maturity in application security and will be able to make the most of it.
How can I learn more about Salt?
This article is part of a larger series focusing on the technologies and topics found in the first edition of the Devoteam TechRadar. To see what our community of tech leaders said about the current position of Helm in the market, take a look at the most recent edition of the Devoteam TechRadar.