API protection: APIs account for 90% of the web app attack surface

Over 60% of companies have more than 400 APIs, and APIs make up more than 80% of web traffic. Translation: APIs are a giant gateway for attacks on web-enabled apps. But it’s not just the size of this gateway that’s concerning — it’s APIs’ increasing vulnerability.

While skilled developers use APIs, so do non-technical businesspeople; that’s fueled the rise of API use, which further attracts attackers.

As for the techniques adversaries use to abuse APIs, it’s common to see:

• Scraping, where bots collect sensitive information such as customer information, financial data, and intellectual property
• Brute-force attacks, where bots overwhelm APIs to guess passwords, access tokens, and other credentials to gain access to backend systems.
• Denial-of-service attacks, where high-volume requests render APIs unavailable to legitimate users.
• Exploitation and fraud, where bots create fake accounts, spam, and more.

There are more threats, like shadow and zombie APIs, and volumetric attacks without rate limiting that target e-commerce APIs (No. 4 in OWASP’s API Security Top 10). In fact, there are so many that Forrester has advised CISOs to focus on API technology and bot management as dual priorities for 2023.

The glaring problem, though: traditional bot management solutions can’t effectively counter crafty adversaries.

From your revenue to your customer experience to your very brand itself, API threats sport a range of harmful effects, including:

• Large cost of having private data exposed
• Poor app performance and experience
• Loss of customers
• Expensive regulatory fines
• Damage to your reputation and brand equity

Here’s why traditional bot management vendors are failing: They allow bots to enter your infrastructure before they are able to block them, allowing for a window of opportunity to conduct their attacks. Also, static defenses also take too long to learn and adapt to bot attacks, needing manual tuning, requiring a large amount of resources and time, giving botters yet another window of opportunity to successfully launch attacks.

In addition, they rely on a first-generation technique known as “fingerprinting.” This is an attempt to construct an identifier (aka, a “fingerprint”) by collecting unique identifying data, and it’s got two major flaws:

1. It’s become ineffective because of the anti-tracking movement, which continues to prompt changes to browsers.
2. It’s easy to replay legitimate fingerprint data and trick anti-bot detection.

Instead of relying on fingerprints, Kasada instead looks for immutable evidence whenever tools are used to interact with APIs. Also, Kasada’s API protection doesn’t rely on static defense tactics, instead using dynamic detection methods that can adapt as quickly as attackers do. Kasada also leverages in depth threat intel to ensure that the solution stays ahead of constantly evolving threats.

Kasada’s layered and holistic defense functions differently, takes the fight to the bots — and exhausts them. Without informing attackers, Kasada’s proof of work challenge exponentially increases the difficulty level along with the number of abusive requests over time. Put simply, it saps adversaries’ resources and makes them work harder. It erodes the ROI of the attack. The results:

• Neutralization of the immediate attack
• Prevention of replay attacks
• Deterrence of future attacks

When you make attacks too expensive, attackers look elsewhere. When threats can’t retool, they aren’t threats at all. That’s Kasada’s approach: experts in detecting automation with an unmatched knowledge of adversarial techniques – a team and technology that takes the work off you.