API Gateways: Great for Management but Not for Security

API gateways are useful when it comes to API management but they were never designed with security in mind.

 API Gateways: Great for Management but Not for Security

Introduction

As the microservice paradigm has become all but ubiquitous in the modern web landscape, the need to collect these services in a single unified experience for the end user has become more important than ever. 

Microservices are like an orchestra, with each piece doing what it does very well as long as it’s properly organized and contextualized. This organization and contextualization comes from the API Gateway – acting like a conductor, gateways deliver unprecedented orchestration and contextualization that boosts the value of this interconnected masterpiece. 

With any complex system, however, there are major security concerns that must be kept in mind. With each new piece of tech and each new endpoint, the complexity of the API Gateway will have new risks, new vectors of attack, and new potential points of failure introduced to the greater system. APIs will always struggle with security to some extent, as the purpose of an API is to connect to the outer world – but Gateways are especially vulnerable for reasons we will dig into shortly.

Before diving into that topic, let’s look at how we got to where we are today.

The History of API Gateways

In the early days of APIs, applications were monolithic in nature. This design philosophy meant that all the functional components of an application—its data layer, user interface, and business logic—were tightly intertwined and housed within a singular codebase. 

This provided simplicity in design and deployment, but it also meant that any change resulted in the need to alter the entire codebase, with even small evolutions impacting the development lifecycle quite significantly. As applications grew in scale and complexity, this monolithic paradigm quickly became a bottleneck, and developers struck out to find a new approach that reduced complexity while increasing flexibility, scalability, and extensibility.

To resolve the issues brought forth by monolithic design, the industry began to trend towards the idea of microservices. This concept was simple – break the application into many small applications, each independently deployable. This would result in a system wherein scalability meant simply deploying more instances, extensibility meant creating a new function as opposed to iterating a massive monolithic codebase, and flexibility meant developing for decentralized and decoupled functions. All of this was a monumental shift that resulted in rapid growth, but it introduced a new problem – if everything is spread out and not located under a single monolith, how should an organization work with these numerous services? How could a company organize the chaos?

This problem resulted in the creation of the API Gateway. It was simple in the abstract – at first, gateways operated as a reverse proxy, routing requests to appropriate microservices. As the gateway paradigm evolved, however, new benefits were unlocked.

Benefits of API Gateways

For the user, the gateway offers a single unified frontend that mediates between the many services behind the veil, presenting a more useful and cohesive experience. For the provider, a gateway offers a single source of interaction and a tool by which interactions can be controlled and monitored. Gateways act like a vigilant gatekeeper – controlling access, routing requests, preventing malicious attacks, and more can all be done through the gateway. 

Add on to this the fact that a gateway can be a panopticon for usage monitoring and meticulous record keeping, boosting your analytics and the resultant development to new heights. Additional benefits include schema enforcement, ensuring uniformity and predictability, as well as granular control over routing to match the underlying business logic that the schema may be built upon.

Put simply, API Gateways delivered on their promise to calm the chaos, and they serve as a wonderful tool for management. But what about API security?

The Landscape of Modern API Attacks

Before we discuss the inherent issues with API Gateways, let's first look at the current state of API attacks in the industry. As APIs have become the critical arteries through which data flows, connecting disparate systems, apps, and devices, the target on their back has similarly increased. APIs are now a prime route for cyberattacks, and these attacks grow in complexity and efficacy year by year. As developers have pivoted to mitigate common attacks, new methodologies have taken hold, boasting increased complexity and sophistication.

The Changing Face of Threats

Historically, API threats were relatively straightforward. Attacks such as brute force attacks, where attackers tried a large amount of combinations in rapid succession to gain unauthorized access, may still be common, but they are not as successful as they once were against APIs. As security systems have matured, criminals have had to discover new attack vectors and new TTPs (tactics, techniques and procedures).

As a result, today's threat landscape is more complex and insidious than ever. Some predominant threats include:

  • Broken Object Level Authorization (BOLA): This vector sees attackers manipulate API calls to access unauthorized data through the abuse of broken object level authorization systems. This can be particularly damaging, as it essentially gives the keys to the kingdom to those who want to do it the most harm.
  • API Injection: This kind of attack is when attackers directly inject malicious code into the API, which is then executed by the receiving application. Much like a virus, this often results in the system effectively attacking itself, which is made worse due to the fact that these attacks are seen as originating from a trusted source.
  • Man-in-the-Middle Attacks: An old attack that continually adds new complexities and vectors, attacks will take over middleman pieces of the communication paradigm to secretly alter communication, relay information, or hijack sessions.
  • Business Logic Manipulation: Creating registered accounts and checking for ways to abuse a lack of controls around certain aspects of the business logic on an API, such as causing overexposure of data, gaining unauthorized access to data, etc. 

These are just a handful of the more common and well-crafted attacks that APIs typically face in the modern space.

Mimicry: The Camouflage of Cyber-attacks

Perhaps one of the most daunting aspects of modern API attacks is their ability to mimic legitimate requests. In the past, distinguishing between genuine and malicious requests was relatively easy – rogue requests often gave off behavioral hints that something was amiss, allowing anomalous behavior to be more easily detected. Modern attacks have now deployed advanced techniques to mitigate these issues, resulting in traffic that is highly damaging that nonetheless masquerades rather well as genuine operations.

The simple fact is that modern attackers are more well-equipped than ever before. They often possess a deep understanding of the applications they target, allowing them to craft convincing attacks. They can use stolen or legitimate tokens to bolster this identity claim, and by using sophisticated botnets, they can create a user that has the right behavioral elements to match. 

This evolution in attack methodology has naturally placed tremendous strain on traditional security systems. Identifying an enemy that is not behaving particularly strangely amidst a sea of genuine requests is akin to finding a needle in a digital haystack. Since APIs are designed to be accessible, they can't be hidden away behind impenetrable walls, so developers can’t just create a digital fortress to keep the attackers out. Thus, modern security requires sophisticated monitoring tools that can discern subtle patterns and anomalies indicative of an attack.

API Gateways: Not Designed for Security

So what does this all mean for API Gateways in the context of security? Unfortunately, the simple fact is that gateways were never designed to be security solutions, they were designed to be management solutions. While API Gateways have taken on some security processes and steps, they have always principally been focused upon the management of microservices and the unification of communication with them – this has resulted in API Gateways lacking core security features and capabilities.

There are some limited situations in which API Gateways do offer some protection. Rate Limiting can slow down an attacker by reducing the overall volume of attacks that can be issued in a time frame, thereby reducing effectiveness of DDoS and other volume-centric attacks. Proper pagination can reduce effectiveness by breaking up data into smaller, more limited chunks, making each API call less effective for the given attack vector. 

In each of these cases, however, the security gained is done equally as well – if not better – by actual security solutions. For gateways, these are bonus features, not core ones, and as such, leaning on gateways for security is a miss.

Weaknesses of API Gateways in Modern Security

Firstly, API Gateways are limited in their ability to identify and prevent sophisticated attacks that mimic legitimate traffic. Gateways are gatekeepers, but they’re not hyper-intelligent systems meant to dig into every potential movement of data – their interaction generally follows a paradigm of “Where do I send it to? Does this seem right, based on my limited understanding? Yes? Then Let it through!”. Sophisticated attacks are often difficult to discern from legitimate traffic, and because API Gateways are a management solution, not a security one, they often lack the visibility to effectively do so.

This lack of real-time monitoring paired with the simple fact that API Gateways are transactional means that attacks that are designed to bypass security systems are at such a higher level that API Gateways often offer nothing more than a facilitatory system. Even if they do carry security processes, these processes are not enough unless they are buttressed by security offerings in the background.

There is also the very real problem of assumed security. Developers who utilize API Gateways might take the idea that there are some basic security features in some instances as evidence of a cumulative security posture. The simple fact is that security must be multi-layered, and depending on API Gateways to deliver on security is depending on the wrong entity for the wrong benefit. This can lead to a perception of security that does not match reality, exposing APIs to more threats than might be obvious.

Achieving Real API Security

At the end of the day, the most important part of API security is utilizing solutions that are designed for security in a multi-layered approach. Utilizing a single point of failure is bad enough, but utilizing a single point of failure that was never built for security is worse. Accordingly, any security system that is considered part of your security posture should be designed specifically for APIs with feature sets that are designed for the paradigms of the modern threat actors.

What should this solution look like?

Building a Strong Solution

A proper security solution must grant users the ability to get the drop on threats through proper alerting and monitoring. The ability to set specific metrics, thresholds, events, etc. is vital to ensuring you have a proper security overview, and being able to secondarily decide how and when these alerts are made available is a huge step towards reducing alert fatigue and threat blindness.

Visibility is also a huge part of making a proper security posture effective. This goes beyond basic visibility into the inner workings of your platform, and extends to ensuring that potential vulnerabilities don’t become obfuscated through typical day to day production. Visibility should be collected into a single place and should give you actionable steps to mature your posture. Assessment should occur in the design and development stage to ensure that vulnerabilities can be eliminated before the API ever goes into production. The results of this assessment should be validated and continually reviewed to ensure that problems don’t recur.

This is especially important given that so many threats arise due to where attacks often occur. Application layer attacks are much more common in the API space, but they are often overlooked when it comes to solutions that track transport and network layer attacks. Your solution should grant full spectrum visibility for a true security approach.

Finally, solutions should focus on open-source, proven standards and frameworks. Utilizing proprietary solutions can be ok, but you are depending on your own knowledge as a source of security – adopting open-source standards means that you are using time tested and community proven solutions, which can dramatically improve security postures.


FireTail: Real API Security

FireTail provides a world-class solution that hits all of the points noted above. FireTail is a comprehensive end-to-end security solution that offers a variety of benefits:

  • API Alerting & Monitoring: Stay Ahead of Threats – FireTail's API Alerting & Monitoring allows you to set specific conditions, metrics, and thresholds to detect and respond to API security events swiftly. Stay in control of your API ecosystem and receive alerts precisely how and when you prefer.
  • API Security Posture Management: Gain Full Visibility and Strengthen Security – FireTail's API Security Posture Management offers comprehensive visibility and assessment of your API security in one centralized dashboard. Accelerate the maturity of your API security program and confidently address potential vulnerabilities.
  • API Audit Trail: Comprehensive Logging for Enhanced Security Insights – FireTail's API Audit Trail feature has a centralized and comprehensive logging system, so you can create a single, cloud-based API audit trail. Gain insight into API events, detect breaches, and strengthen your incident response capabilities.
  • API Inventory – FireTail's API Inventory feature empowers you with comprehensive visibility into your API landscape. Discover, track, and manage your APIs with ease, ensuring a solid foundation for robust security and efficient governance.
  • Seamless API Visibility with FireTail's Agentless Integration – FireTail's Agentless Integration offers a seamless approach to your API endpoints. With our innovative solutions, you can discover and log API activity behind AWS's native API gateway, ensuring comprehensive monitoring without the need for additional agents.
  • Effortless Deployment and Enhanced API Security with FireTail – Revolutionize your API security with FireTail's Simple Deployment. Our platform is designed around the most common standards for building modern, API-first applications, leveraging open-source code and frameworks.

Schedule a demo today to see what FireTail could do for your API security strategy.