Salt Security, a company focused on solely on API security and preventing API breaches, has introduced the Salt Security API Protection Platform. The product aims to preventing API attacks wherever they occur—in applications, on mobile devices, within microservices or anywhere on the web. The idea is for IT professionals to be able to find and respond to attacks before they get to the point where they cause real damage.
The timing is good: API attacks are increasing at an alarming rate because developers are using more APIs to enable applications and services, and because modern digital platforms rely on them. Gartner predicts that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. And as APIs become more prevalent, they expose more sensitive data, which is prompting attackers to shift their focus to API-based attacks.
These changes aren’t escaping companies, either. As the attack methods shift to target logic and vulnerabilities unique to each API, companies are starting to shift their focus. Instead of relying on signature-based solutions like web application firewalls that look for predictable attacks, they are looking for solutions that can detect and stop the attacks that can’t be predicted, and therefore can’t build into a signature.
That’s exactly what Salt Security is trying to do—build a solution that focuses specifically on API security, instead of forcing companies to rely on the API security traditionally provided as part of larger, more general-purpose solutions like API gateways, API portals and web application firewalls.
Salt Security’s approach uses artificial intelligence to gain specific knowledge about each API to determine normal behavior. With this information as a baseline, the product can detect malicious behavior on every API endpoint in real time. That allows organizations to identify attacks while they are still in the earliest point in an attack, often called the reconnaissance phase.
“With attackers shifting their focus to target the logic that is unique to each API, it’s impossible for solutions that depend on signatures to detect and stop these new attacks. Even those that allow for customization fail to detect these attacks since it requires someone with deep expertise to think of all of the potential options,” explained Salt Security CEO Roey Eliyahu. “All of our customers have found live attacks with the Salt Security platform that were missed by their signature-based solutions like a web application firewall.”
While the top use case for the Salt Security API Protection Platform is to stop attackers before they can successfully carry out an attack, there are others, as well. One is eliminating vulnerabilities at the core of an organization’s APIs. The insights Salt generates around malicious behavior can help bridge the gap between security and development teams by providing development teams with details on what’s vulnerable and why. That way, they can work to quickly eliminate the vulnerability.
The third use case is cataloging all of the APIs active in an environment, which gives organizations a clear picture of areas of potential exposure. The Salt Security product does this automatically and continuously for all of the public, private and partner-facing APIs in an environment. This helps them gain a better understanding of their attack surface and risk, Eliyahu said.
Salt Security’s approach addresses two things that are particularly difficult about protecting APIs, said Mark O’Neill, a senior director at Gartner. The first difficulty is actually finding and discovering the APIs in the first place. In fact, many organizations that have APIs might not even know they have them.
The second is much more difficult.
“You want to accommodate the need for your partners and clients to access data and applications through your APIs, but you also want to protect against problems that can occur when somebody does something out of the ordinary, because it might mean they are probing the API for weakness or actually planning to attack it,” O'Neill said.
These difficulties, in addition to the growing threat of API breaches, make the concept of a security vendor focused solely on API security attractive, O’Neill said. While other security vendors in the web application firewall and API management products are adding more API security, only a small handful focus only on API security. In addition to Salt Security, O’Neill mentioned Elastic Beam by Ping Identity and Google Apogee Sense. The key is finding a vendor that goes as deep as possible on API protection, he added.
The Salt Security API Protection Platform is available in a SaaS or a hybrid deployment for cases when on-premises data processing may be required.