WHITE PAPER

The Holistic
Approach
for Mitigating
API Driven Cyber
Attacks

1 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
TABLE OF CONTENTS

I. Introduction | 4

II. APIs as the driving force behind the current multi-channel digital transformation | 5

III. APIs as an attack vector | 5

IV. OWASP and the current API threat protection landscape | 6

V. API security | 7

VI. Holistic approach to API security | 8

VII. Summary | 9

VIII. About L7 Defense | 10

Appendix I - Major updates published by owasp | 11

TABLE OF FIGURES

Figure 1 | Top 10 Web Application Security Risks & Top 10 API Security Risks | 6

Figure 2 | OWASP API risk list 2017 vs OWASP API risk list 2021 | 7

Figure 3 | Advanced API threat mitigation framework | 8

Figure 4 | Ammunetm INLINE Protection Mode | 9

2 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
GLOSSARY

AI Artificial Intelligence
ANSI American National Standards Institute
API Application Programming Interface
CIO Chief Information Officer
CISO Chief Information Security Officer
JSON JavaScript Object Notation
DevOps Software development (Dev) and IT operations (Ops)
ML Machine Learning
OWASP Open Web Application Security Project®
SOAP Simple Object Access Protocol
WAF Web Application Firewall
XML Extensible Markup Language

3 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
INTRODUCTION

I. INTRODUCTION
APIs (Application Programming Interfaces) have been around
since the 1970s during the early days of the symbiotic -
software driven APIs. APIs became more prevalent following
the natural advancement of ANSI protocols and the emerging
Java standards resulting in the modern multi-tier API
approach that is the foundation of the current multi-channel
Gartner:
digital transformation. “By 2022, API abuses
Each time a user interacts with more than one data system or
will be the
uses a Query-based data retrieval function, an API is used for
that specific functionality. This applies to e.g., sharing an most-frequent attack
interesting article from a digital newspaper, using a real time
messaging application, or paying online for the delivery of a vector resulting in
fast-food order. The same applies for using online banking
data breaches for
apps for financial services. In other words, APIs are part of our
daily life. enterprise
The meteoric rise of APIs has resulted in groundbreaking applications.”
application agility. On the flip side, it has made the
organizations that use them vulnerable for cyberattacks.
Current cybersecurity defenses were never designed to
protect APIs.

4 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
II. APIS AS THE DRIVING FORCE BEHIND THE Forrester:
CURRENT MULTI-CHANNEL DIGITAL
“Whether the API is based
TRANSFORMATION
on a legacy iframe,
APIs have become the enabling factors for the new digital
economy made of dynamic web systems, smartphone Apps and XML/SOAP-based interface
chained business activities by 3rd party APIs. The widespread or even a cutting-edge
adaptation of APIs is positioning these interfaces as the catalyst multi-tier oAuth2.0 API, the
for Innovative software development and the critical foundation
results will remain the
for novel applications. The migration from monolithic software
design to a flexible micro-services-based development increases same, Application
API dependencies, thus extending its risk potential. interfaces are contributing

Furthermore, while web applications are often based on some to over 80% of all internet
user-aware interaction, APIs can also be used for Application-to- application traffic with
Application communication, with no user interaction at all and dramatic growth rate and
with very limited native visibility of signaling and traffic.
are exploitable to hundreds
It is important to understand that B2B applications are often of threats, with hundreds
based on APIs that were designed years ago without much
of percent increase in
security concerns, which offers threat actors a golden
opportunity to conduct long and evasive data breaches.
threat factors.”

III. APIS AS AN ATTACK VECTOR

APIs have become the attack vector of choice by threat actors due to their vulnerability. This makes
them an ideal target for threat actors as the large numbers and scale of API cyber incidents have
shown. These incidents have resulted in financial losses of billions of dollars, leakage of petabytes of
private data, and compromising the stability and integrity of critical applications and systems.

The Open Web Application Security Project® (OWASP), as the competent authority for everything
related to web security, has been trying to address the enormous volume of vulnerabilities collections
existing in the domain sequence from browser-to-web application servers. That’s why OWASP is
publishing its updated Top-10 web vulnerabilities list, including updates that shape and impact the
design and functionality of every major WAF (Web Application Firewall) solution in the market.

5 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 Figure 1 | Top 10 Web Application Security Risks & Top 10 API Security Risks

Figure 1 shows that the lack of API-1 Risk analysis capability of WAF solutions cannot detect all “Broken
Object-level authorization” based exploitation. This means that they cannot address one of the most
common attack that was already used in many API-driven breach events. Due to the widespread use of
object-based authorization and access control mechanisms in modern applications, a minor variation
in the API syntax (e.g., JSON statement) can expose API endpoint, leading to leakage of sensitive
information. Also, the exploitation of API-4 risk can be used effortlessly for service exhaustion and
denial of service if no rate limiting variables are set.

Another example of a crucial exploitable attack is the API-6 risk. It addresses the risk and vulnerability
of mass handling. In this case, vulnerabilities in the API can enable threat actors to mass update both
client-level parameters (e.g., username, full name, etc.) and simultaneously update internal system
parameters, resulting in permission and privileges escalation and data modifications.

IV. OWASP AND THE CURRENT API THREAT PROTECTION LANDSCAPE

Two years after the first OWASP API risk publication was launched, the correlation between API risks and
massive cyber incidents has never been more evident. This means that the preliminary API risk factors
published by OWASP are not aligned anymore with the current challenges. The potential for massive
cyberattacks abusing the vulnerabilities in modern APIs is more prominent than ever before.

The draft publication of the OWASP 2021 Top 10 List addresses API exploitation as the key trigger in major
cyber events in every key market segment, from finance and open banking to IoT and 5G networking and
commercial digital communication. This draft publication attempts to diminish the gap between API and
web security with a new risk list of a significant application weakness analysis and survey. A final publication
of the API risk list should also address the multiple API risks in the wild, which up till now were not part of
6 | The
the Holistic
2019 list. Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 Figure 2 | OWASP API risk list 2017 vs OWASP API risk list 2021

For major updates published by OWASP, please refer to Appendix I

V. API SECURITY
There are multiple risk factors and vulnerabilities that threaten APIs directly, but are not listed in the
OWASP API Top-10 2019, or covered in any way in the OWASP API Top-10 2021. However, any API
security strategy must take those unclassified threats into consideration and put a mitigation
mechanism in place.

To identify those threats and their potential impact, an analytical AI-driven API security platform must
be put into place to protect from API-centric (including web) risks. This provides a wide security
framework to mitigate advanced API threats as shown in Figure 3.

7 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 Figure 3 | Advanced API threat mitigation framework

VI. HOLISTIC APPROACH TO API SECURITY

holistic approach for an advanced threat mitigation strategy consists of a balanced blend of
technologies & tactics, is presented by L7 Defense. It is fully automated AI-based API security
offerings named AmmuneTM, which is made of AI/ML-driven analytical security technology. Its API-
centric model, provides an adapted "micro protection" shield for any discovered API endpoint.

APIs are detected down to the argument level resolution, which is a key functionality for API threat
visibility, since what is not seen, cannot be protected. A protection policy is adapted automatically
to each API endpoint, according to dynamic traffic profile.

In addition to technologies and tactics, a complete defense strategy allows for the fusion of multiple
threat mitigation mechanisms with trailblazing automation features for real-time inline mitigation
based on a holistic approach to API security.

8 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 VII. SUMMARY
To actively protect APIs in real time, an innovative approach is needed since current security solutions
were never designed, and are therefore not able, to protect APIs effectively against cybersecurity
attacks.

Ammune™, the fully automated AI-based API security offering of L7 Defense, actively protects APIs in
real time - Inline, automated, and highly accurately against the most advanced cyberattacks, on cloud
& On-premise.

Figure 4 | Ammunetm INLINE Protection Model

Frost & Sullivan “With its unique approach to analyzing traffic, leveraged by
its groundbreaking technology that delivers distinct competitive advantages,
L7 Defense received Frost & Sullivan’s 2020 Global Product Leadership Award
for its fully autonomous AI-based machine leaning API security solution”

9 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 VIII. ABOUT L7 DEFENSE
L7 Defense was founded by a team of experts in bio-informatics, machine learning, enterprise
architecture, and cybersecurity technologies. The company developed its API security solution based
on its own core AI/ML unsupervised learning technology -Ammune™. The company is part of the
highly dynamic ecosystem of cybersecurity and made it its mission to protect APIs from the latest
breed of cyberattacks.

10 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM
 APPENDIX I - MAJOR UPDATES PUBLISHED BY OWASP
A01:2021-Broken Access Control moves up from the fifth position.

A02:2021-Cryptographic Failures shift up one position to #2, previously known as Sensitive Data
Exposure.

A03:2021-Injection slides down to the third position. 94% of the applications were tested for some
form of injection including XSS and advanced Injection options.

A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws.
This is with relevance to the concept of “Shift-left” and bringing secured architectures to DevOps
CI-CD cycles.

A07:2021-Identification and Authentication Failures were previously Broken Authentication and

are sliding down from the second position, now including vulnerabilities that are more related to
identification failures.

A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making
assumptions related to software updates, critical data, and CI/CD pipelines without verifying
integrity. This is also complementing the Idea of “Shift-Left” Strategy.

A10:2021-Server-Side Request Forgery is added from the industry survey (#1). The data shows a
relatively low incidence rate with above average testing coverage, along with above-average
ratings for Exploit and Impact potential. This category represents the scenario where the industry
professionals are telling us this is important, even though it's not illustrated in the data at this
time.

11 | The Holistic Approach for Mitigating API Driven Cyber Attacks L7DEFENSE.COM