Application programming interfaces (APIs) have become a critical part of networking, programs, applications, devices, and nearly everything else in the computing landscape. This is especially true for cloud and mobile computing, neither of which could probably exist in its current form without APIs holding everything together or managing much of backend functionality.
Because of their reliability and simplicity, APIs have become ubiquitous across the computing landscape. Most organizations probably don’t even know how many APIs are operating within their networks, especially within their clouds. There are likely thousands APIs working within larger companies and even smaller organizations probably rely on more APIs than they realize.
As useful as APIs have become, their use has also created a danger. Because there are few standards for API creation, and because many are unique, it’s not uncommon for APIs to contain exploitable vulnerabilities. Bad actors have found that attacking an API is often much easier than going after a program, database, application, or network directly. Once compromised, it’s not difficult to change an API’s functionality, making it a sort of turncoat insider that works for the hacker.
The other big danger with APIs is that they are almost always over-permissioned. Programmers give them high permissions so that they can perform their functions without interruption. But if an attacker compromises an API, then they could use those high permissions to do other things, just as if they had compromised a human administrator’s account. This has become such a problem that research from Akamai says attacks against APIs make up 75% of all credential-stealing attempts worldwide. Attackers know that APIs are both vulnerable and ubiquitous and are gunning for them.
Given the severity of the problem with API hacking, it’s no surprise that the number of API security tools has also blossomed in recent years. There are dozens of commercial tools designed to protect APIs and hundreds of free or open-source ones as well. Many share similarities and functionality with other types of cybersecurity programs, but are instead configured specifically for the unique nature of APIs.
In general, API security tools fall into one of several categories, although some offer complete platforms that try to do everything at once. The most popular type of API security tools these days are those that shield APIs from malicious requests, sort of like an API firewall. Other tools are designed to dynamically access and evaluate a specific API to look for vulnerabilities so that its code can be hardened against attacks. Still others simply scan an environment so that an organization can discover how many APIs exist within their network, with the idea that nobody can protect what they don’t know about.
Trying to compile a complete list of API cybersecurity tools would be difficult given how many there are. But by studying both user and commercial reviews, several tools do start to stand out. The following are some of the top tools available to help beef up API security with brief descriptions of their strengths and functions. Hundreds don’t make this list, but this should provide a good snapshot of what is available and possible when trying to secure APIs against today’s increasingly hostile threat landscape.
Here are nine of the top security tools available now:
One of the most popular API security tools, APIsec is almost completely automated, so perfect for organizations that may just be getting started with improving their API security. In a production environment where APIs are already established, APIsec will scan them and test against common vulnerabilities such as script injection attacks. But it will also completely stress test each API to ensure that it is hardened against such things as business process attacks that are not so easy to detect. If problems are found, it will flag them along with detailed results for security analysts.
APIsec can also be used proactively by developers as APIs are being created. That way, any vulnerabilities can be quashed before an API goes live, with APIsec continuing to watch over things after the API is deployed, just in case.
Astra is a free tool, although that means that there is limited support and users will need to grab it from GitHub and install it in their environment. That said, the tool has a stellar reputation for helping to manage and protect a very specific type of API.
Astra mostly concentrates on representational state transfer (REST) APIs, which can be extremely difficult to test and secure because they change frequently. Astra helps by integrating into an organization’s continuous integration and continuous delivery (CI/CD) pipeline. It ensures that the most common vulnerabilities that can affect APIs don’t creep back into supposedly safe REST APIs as they constantly change as part of their function.
AppKnox is known for being very supportive of its user base. The platform has a very easy-to-use interface to begin with, but the company also offers a lot of help when deploying and using it. AppKnox has made its way into a lot of organizations with small security teams because it can support the addition of API security with minimal effort.
Once installed, AppKnox will test APIs for common problems such as HTTP request vulnerabilities, openings for SQL injections, and many others. It also scans all resources that connect with APIs to ensure that they are not able to become a valid attack path for hackers.
The Cequence Unified API Protection platform is designed for organizations deploying enterprise environments that may need to handle billions of requests made to their APIs every day. The scalable protection platform first detects all APIs within the organization and then files them in an extensive inventory. Thereafter, APIs can be given general tests for vulnerabilities or security teams can define specific tests that need to be performed on groups of APIs. This is extremely helpful for not only securing APIs but also for helping to comply with governmental or industry regulations that require specific protections to be in place.
Also helping with Cequence’s enterprise focus is the ability to set up automatic protections or actions that should be taken in response to an attack or a suspicious interaction with an API. Because Cequence handles this itself, there is no need to include external security devices like firewalls to activate that protection. That keeps the load off those external peripherals and speeds up the response time so that an API is nearly instantaneously protected from live threats.
Data Theorem API Secure can inventory every API that exists within a network, cloud, application, or any other target. That makes it a great choice for organizations that want to beef up their API security, but don’t know where to start or even how many APIs they are using. And API Secure also keeps the API inventory up to date, quickly finding any new APIs as they are deployed.
Once located, API Secure will act like a hacker and test every API for vulnerabilities. It can then flag that API for a human to examine or automatically remediate many vulnerabilities on its own.
The Salt Security API Protection Platform is extremely advanced and was one of the first to fully utilize artificial intelligence and machine learning to detect and stop threats against APIs. The platform does this by collecting API traffic across an entire network, analyzing what calls are being made to APIs and what they are doing in response. It then compares what it is seeing locally to traffic data stored in a cloud-based big data engine. It can then stop most attacks and highlight suspicious activity, alerting human security teams or taking action based on its settings.
The platform continues to learn over time and the longer it examines a network of APIs, the more accurate it becomes when determining what is acceptable behavior on that specific network.
Noname Security has developed a good reputation with large corporations supporting huge enterprise environments. It is reportedly used by 20% of Fortune 500 companies. It was designed to go beyond the standard API vulnerability-checking protection offered by some platforms by analyzing traffic data moving through APIs. It then taps into AI and machine learning to look for malicious activity.
Noname Security supports the use of both common and non-standard APIs in its testing. For example, it fully supports HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC APIs. Using traffic data, it can even find, catalog, and protect APIs not managed by an API gateway, or homegrown APIs that don’t follow any standard protocols.
Concentrating on the development environment, the Smartbear ReadyAPI can be used to not only test APIs for security vulnerabilities while they are being built but also monitor their performance. That way developers can, for example, see what happens if an API encounters a very large volume of data, which could also be a security issue.
As part of that testing, users can configure what kinds of traffic to throw at APIs in development, or ReadyAPI can capture real traffic from the organization’s network and then use that for a very realistic test. Natively, ReadyAPI supports Git, Docker, Jenkins, Azure DevOps, TeamCity, and more.
While the Wallarm End-to-End API Security platform was designed to work in a cloud-native environment where many APIs reside, it can also work to secure APIs that exist in on-prem equipment. It’s designed to protect against any kind of threat made against an API, from those on the Open Web Application Security Project (OWASP) top vulnerabilities list to specific threats like credential stuffing that are often made against APIs.
Wallarm can also help to mitigate distributed denial of service (DDOS) attacks and reconnaissance incursions, or outright attacks, made by bots. Given the fact that most of the traffic on the internet today is comprised of bots, that is a nice feature to have in a security tool.
The platform also provides a deep look and overview of an organization’s entire API portfolio based on user traffic, which can provide insight not just into security, but also into how APIs are being used by the organization and what areas may need to be improved. That is not the primary purpose of the Wallarm platform, but the detailed reports would certainly be helpful in other areas outside of security as a bonus for using the platform.