Google is announcing, today, a preview of Advanced API Security, a new product headed to Google Cloud that detects security threats insofar as they apply to APIs. It's built on top of Apigee, Google's API management platform, and the company says customers can start requesting access today.
Short for "application programming interface," APIs are documented connections between computers or between computer programs. Usage of APIs is on the increase, with one survey showing that more than 61.6 percent of developers relied on APIs more in 2021 than in 2020. But they're also increasingly turning out to be the target of attacks. According to a 2018 report commissioned by cybersecurity vendor Imperva, two-thirds of organizations are exposing unsecured APIs to the public and partners.
Advanced API Security tracks two objectives: detection of configuration errors in APIs and bot detection. The service continuously scans managed APIs and provides recommendations for the detected misconfiguration, and it makes use of predefined rules so that it can provide a means to identify malicious bots from API traffic. This means that each rule represents a distinct unusual traffic from a single IP address, and if the pattern of API traffic matches any of the rules, Advanced API Security will flag it as a bot.
"Badly configured APIs is one of the top causes of API security breaches.". While most organizations identify and remediate API misconfigs as a priority, the configuration management process is cumbersome and resource-intensive, said Vikas Ananda, head of product at Google Cloud, in a blog post forwarded to TechCrunch ahead of the announcement. Advanced API Security now makes it easier for API teams to detect proxies that are non compliant with security standards. Furthermore, Advanced API Security speeds the discovery of a potential data breach by identifying bots that actually succeeded in causing the HTTP 200 OK success status response code. As part of Advanced API Security, Google seems to be strengthening its security tools within Apigee, which the company acquired in 2016 for more than half a billion dollars. But Google is also responding to growing competition within the API security market.Security startups with recent focus on APIs include Salt Security, Noname Security and Neosec. Recent additions to established vendors' portfolios include Barracuda, Akamai, 42Crunch, Traceable, Ping Identity and Signal Sciences. In March of this year, Cloudflare announced a new gateway aimed at boosting API security. And in May, Imperva acquired API security company CloudVector. While the jury is out on how well these products really work in comparison to one another, this is a very real threat of API-borne attacks. Companies like Peloton, Parler and even LinkedIn have fallen victim to API-driven attacks in the last few months. They are not alone. A recent study by Cloudentity found that 44% of companies have faced "substantial" API authorization problems related to privacy, data leakage, and object property exposure with internal and external-facing APIs.