Similar to how a mobile app is an application which runs on a smartphone, a web app refers to a software application that carries out a particular function using a web browser for a client. The first web applications date back decades, long before the internet was mainstream, but it’s during this century that they’ve really proven their worth – as seen by Google’s growing suite of cloud apps like Google Docs and Gmail. These applications give traditional standalone software packages a run for their money. They’re getting better all the time.
Because of their visibility, web security focuses heavily on web apps. Attacks that can be leveled against web apps include SQL injections, Cross-site Scripting (XSS), Remote File Inclusion, Cross-site Request Forgery (CSRF), and others. These can be used to wreak havoc, such as stealing sensitive user data.
But while no shortage of attention is (rightfully) based on defending web apps from attack, organizations’ web security strategies can often place less emphasis on their web APIs. Since web APIs – which are designed with automated access in mind – are just as powerful as web apps, while being arguably more vulnerable to abuse, that’s bad news for all involved.
It’s a critical reminder of why tools like Web Application and API Protection (WAAP) are so essential. Simply put, they’re something that no organization should be without.
Web applications and web APIs: What’s the difference?
Web applications and Web APIs sound similar. There’s some crossover between them, too, but also notable differences. Web apps are designed for human interaction, allowing users to interact with them and presenting results in the browser window. This is the reason they’re so visible – since they’re literally designed with end user interaction in mind. A web app is a front-end application (client side), while web APIs are back-end applications (server side) which exchange data through system-to-system interactions. In their broadest terms, APIs are application interfaces, which allow one application to communicate with another in a standardized way.
Because of their importance, web APIs are increasingly targeted by would-be attackers. A recent report showed that API attacks have increased 681 percent over the past year. The report surveyed a large number of organizations and found that almost all of them – a whopping 95 percent – had experienced some form of API security incident in the preceding 12 months. Around 12 percent of respondents reported suffering upward of an enormous 500 attacks every month.
While these figures are terrifying enough, even scarier is the fact that 34 percent of respondents admitted to not having any kind of security strategy for APIs. Just 11 percent – a little over one in 10 repondants – said they had an advanced strategy including dedicated API protection and testing.
The resulting widespread lack of protection will only make APIs a more attractive vector for attacks for malicious actors. Those lacking the necessary safeguards typically blamed lack of the right level of expertise or budgetary constraints.
Defending against attacks
It is critical that organizations do right by their users to protect against attacks which seek to exploit API vulnerabilities. This should most likely start with taking stock of the total inventory of APIs they rely on, including functions and payloads alike. They should make sure to test production APIs for potential issues like broken authorization, starting with those endpoints they class as being most critical. Any public-facing APIs must be secured during the development process, while everyone from admin to developers should be made aware of the potential risks APIs can face or pose.
The best step that any organization can elect to take is the use of Web Application and API Protection (WAAP) services. This term, coined by Gartner’s Jeremy D’Hoinne and Adam Hils, refers to a collection of cloud-based services which can help to protect vulnerable web applications and APIs alike. WAAP includes tools like Next-Generation Web Application Firewall (Next-Gen WAF) for blocking attacking using AI and behavioral analysis, Runtime Application Self-Protection (RASP), malicious bot protection, Distributed Denial-of-Service (DDoS) protection, advanced rate limiting, and the all-important protection for microservices and APIs – among others. It’s the most comprehensive possible one-stop-shop for protecting against web app and web API attacks alike.
Do the right thing by your users
Attacks targeting web APIs aren’t going away. In fact, just about every report suggests that they’re ramping up all the time as cyber attackers look for ways to cause the maximum possible damage in domains where the right safeguards are not put in place. Sadly, APIs currently fit that bill. The good news is that, as noted, the right tools are available to help. Implementing and deploying these tools, which may involve seeking out the right cyber security authorities to assist, means that organizations can better defend against this threat. It’s some of the best money you can possibly spend.