API Security , Events , Infosecurity Europe 2023

Shadow APIs - You Can't Defend What You Don't Know Exists

Cequence Security's James Sherlow on New Defenses for API Business Logic Attacks
James Sherlow, director, solution engineering, EMEA, Cequence Security

Shadow APIs are up 900%, and API business logic abuse attacks have come to the forefront and are demanding both discovery and defensive measures from cybersecurity organizations, said James Sherlow, director of solution engineering in EMEA at Cequence Security.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

One example of the growing threat is API 6 on the OWASP API Top 10 Report 2023, Sherlow told ISMG. It includes bots and automated attacks previously described in API 8 but has been broadened to cover business logic abuse of APIs, which means the application is used as it was designed, such as to make an online purchase, but flaws in the business logic are abused for unintended outcomes. Each API is different; therefore, signature-based defenses are no longer useful.

Defenders also are seeing a huge increase in shadow APIs, including unknown, undocumented APIs and legacy or brand-new but published APIs without checks and guardrails. Other APIs expose extra information. Overall, 30% of attacks target shadow APIs, so companies need to focus on discovering them and bringing them into compliance, he said.

In this video interview with Information Security Media Group at Infosecurity Europe 2023, Sherlow discussed:

  • The need for machine learning to have context awareness to protect APIs;
  • Unique threats that are on the rise, especially fingerprint rotation;
  • Using tracking or fake response rather than blocking to control the rate of attack.

Sherlow says his organization's mission is to transform application security by consolidating multiple innovative security functions within an open, AI-powered software platform. This intelligence-based software protects customers' web, mobile and API-based applications and supports today's cloud-native, container-based application architectures.

About the Author

Tony Morbin

Tony Morbin

Executive News Editor, EU

Morbin is a veteran cybersecurity and tech journalist, editor, publisher and presenter working exclusively in cybersecurity for the past decade – at ISMG, SC Magazine and IT Sec Guru. He previously covered computing, finance, risk, electronic payments, telecoms, broadband and computing, including at the Financial Times. Morbin spent seven years as an editor in the Middle East and worked on ventures covering Hong Kong and Ukraine.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.