Imperva is continuing to evolve its API Security offering to help customers better protect their APIs, wherever they are, and to meet changing market requirements. Since launching API Security in March 2022, we continued investing in our API Security offering with the goal of simplifying the protection of growing API libraries from business logic attacks and other OWASP API Top Ten threats.
Enhancements include:
- Expanded discovery capabilities: Imperva API Security now protects organizations from authentication-related vulnerabilities, mass assignment vulnerabilities, excessive data exposure, and design and implementation issues.
- Unified management: Imperva API Security is part of the market-leading Imperva Web Application & API Protection (WAAP) platform. A single dashboard gives security teams visibility into all application and business logic risks, while protecting critical assets from API abuse, bad bot, account takeover, DDOS attacks, and more.
- Protection from business logic attacks and anomalies: Security teams can use Imperva API Security to identify abnormal API behavior as an indicator of a future vulnerability, allowing for preventative measures before the API is exploited. Organizations gain comprehensive protection from future threats and from complex business logic attacks which are difficult to detect and mitigate.
Expanded API Discovery Capabilities
Our API Security solution leverages deep discovery and classification of sensitive data to detect all public, private, and shadow APIs and empower security teams to implement a positive security model. Imperva API Security anomaly detection and discovery enables DevOps and SecOps teams to ensure a continuous validation of their API security posture during the Build, Test and Run phases of API development. To further strengthen this process, we have expanded our API discovery capabilities to include new features such as:
- Authentication-Related Vulnerabilities: APIs left open to unauthenticated access, due to misconfiguration or a simple implementation oversight, remain a major cause of data breaches. In addition, in the same way weak user credentials put user data at risk, API runtime implementations, using or reusing weak API tokens, can expose the backend application to put data at risk.
- Design and Implementation Issues: The flexibility offered by using web APIs is a double-edged sword. While they are easy and agile to implement, they can also contain security flaws that make them a target for bad actors and put applications and data at risk. Such design flaws need to be identified, flagged, and corrected.
- Excessive Data Exposure: This new feature enables buying down risk by allowing the user to see when a larger than normal volume of data is in motion across an API. When it comes to APIs with sensitive data passing across them, unusual data volumes can be an indicator of a potential anomaly or breach. Security teams can remediate excessive data exposure by applying rate limiting and other measures to prevent abuse of risky API endpoints.
- Deprecated API Discovery: APIs that are not fully deprecated pose a security risk and fall into the category of Improper Asset Management. In some scenarios, deprecated APIs are not removed from an application’s infrastructure to ensure continuous functionality with legacy environments. Without proper visibility of the entire API inventory, inadequately deprecated, or unmaintained APIs, could contain code vulnerabilities, which makes them a target for malicious threat actors. Deprecated API Discovery allows security teams to identify such APIs and complete the depreciation process to remediate against this risk.
- Mass Assignment Discovery: Mass Assignment attacks occur when a hacker manipulates authorization code written with a validation flaw, allowing developers to assign multiple attribute values to save time and accelerate deployment (usually of non-sensitive objects). Once an attacker manipulates the validation flaw, they can perform attacks such as command injection, privilege escalation, and data exfiltration. The latest Imperva API Security enhancements include Mass Assignment Discovery which enables security teams to detect and mitigate Mass Assignment activity over an API.
API Security Anywhere
Imperva is advancing its commitment to provide API Security Anywhere. The solution can be deployed in the Cloud, via the Imperva Cloud WAF Platform or other Cloud WAF, on-prem or across hybrid environments. In addition, we have expanded our integration with existing API gateways to offer standalone API Security, such as our partnership with Kong Inc, a leading API Management provider. Our solution is already compatible with other API gateways including Mulesoft, Azure APIM Gateway, and Apigee.
Join us at RSA Conference
We look forward to telling you more about our latest API Security enhancements and our future API Security roadmap at RSA Conference 2023. Come and meet us at Booth #5180 in Moscone North.
About Imperva API Security
Imperva API Security is easily deployed and supports cloud-native and other installations, to help organizations quickly discover, monitor and protect all their APIS, whether known and unknown.
Learn more about API Security here.
Try Imperva for Free
Protect your business for 30 days on Imperva.