Preventing API Breaches Using Salt Security with AWS WAF and Amazon API Gateway

By Yaron Kivilis, Product Manager – Salt Security
By Siva Sadhu, Sr. Partner Solutions Architect – AWS

Salt Security

Hundreds of millions of application programming interfaces (APIs) power the digital economy, and that figure continues to expand at a relentless pace.

As an attack surface, exposed APIs represent the broadest risk to the enterprise as they have become a preferred attack vector by threat actors. In fact, a 2022 survey showed that 95% of companies reported they suffered an API security event within the previous 12 months.

Traditional security approaches are unable to detect and stop complex API attacks. It was for exactly this purpose that Salt Security was established in 2018. Salt’s founders have a unique patent to use big data, artificial intelligence (AI), and machine learning (ML) that allows Salt to spearhead the growing industry of dedicated API security solutions.

Salt Security is an AWS Security Competency Partner and AWS Marketplace Seller that delivers an API threat detection solution on Amazon Web Services (AWS).

In this post, we will explore the importance of API security and how Salt Security offers a comprehensive API threat detection solution on AWS. We’ll discuss the limitations of traditional security approaches in detecting complex API attacks, highlight the integration between Salt Security and AWS services for secure API publishing, and share use cases and countermeasures provided by Salt Security.

Impact of WAFs and API Gateways on API Security

Web application firewalls (WAFs), API gateways and management tools, identity and access management (IAM) tools, and other security technologies were never designed to provide the type of visibility, insight, and runtime protection needed to prevent successful attacks on APIs.

WAFs and API gateways provide some protection against application attacks, but architecture limitations prevent them from protecting against specialized API threats, including those defined in the OWASP API Security Top 10. These top threats target the unique logic of each API and cannot be identified by signatures or even by customizing a WAF’s protection with configuration.

In addition, most managed WAF rulesets are tailored to mainstream commercial and open-source software packages like the content management systems Drupal and WordPress. These are not where organizations typically build or integrate APIs, so managed rulesets provide only minimal protection.

At the same time, API gateway security features are important components of an overall API security strategy, but on their own they do not provide sufficient protection against the top API threats.

Even authenticated APIs are targeted by attackers using subtle methods to uncover and exploit vulnerabilities. Traditional access controls, block lists, and message filtering provided by API gateways leave you with only partial protection.

Protecting APIs from threats requires analysis of all API traffic over time to gain the context needed to identify and stop attackers. Without broader context, and the ability to stitch together disparate activities from a single user, a platform cannot stop attacks in progress.

WAFs and API gateways’ proxy architecture limits the ability to see the big picture—instead, WAFs provide protection one transaction at a time. Even with these limitations, you typically still need both types of services in secure API publishing architecture.

AWS Services Used for Secure API Publishing

Customers often use Amazon API Gateway to publish, maintain, monitor, and secure APIs at any scale. It’s worth noting that security and compliance is a shared responsibility between AWS and the customer. When using services like Amazon API Gateway, customers are responsible for securing the APIs they expose publicly using a service like AWS WAF.

AWS WAF is a web application firewall that helps protect Amazon API Gateway APIs from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks, ​​among other threats in the OWASP Top 10. These could affect API availability and performance, compromise security, or consume excessive resources.

AWS WAF provides the ability to create rules that allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, requests that contain malicious SQL code, or requests that contain malicious scripts.

You can create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, Uniform Resource Identifier (URI), and the request body. Additionally, you can create rules to block attacks from specific user agents, bad bots, and content scrapers.

Along with Amazon API Gateway, AWS WAF is tightly integrated with Amazon CloudFront, Application Load Balancer (ALB), and AWS AppSync—all services that AWS customers commonly use to deliver content or publish APIs for their applications.

Salt Security has a number of successful customer deployments in production integrated with AWS WAF, and has earned the AWS WAF Service Ready partner specialization.

Use Cases for Salt Security on AWS

API security requires a broad set of capabilities to fully protect a customer’s API ecosystem. Customers typically adopt capabilities in phases:

1. Discovery: Find out what you really have outside of your “regular” API inventory, including shadow and zombie APIs. Identify APIs that are exposing personally identifiable information (PII) or other sensitive data. Support governance, risk, and compliance (GRC) workflows with complete API coverage.
2. Detection: Correlate activity to block attackers while they are still in their reconnaissance phase. Prevent account takeovers and data exfiltration while accelerating incident response by reducing the time it takes to understand and resolve API-related incidents.
3. Remediation insights: Gather information based on attackers’ minor successes, with details on how developers can update APIs to close security gaps.

Figure 1 – API security lifecycle.

API Security Countermeasures Throughout the API Lifecycle

Salt Security is a multi-tenant software-as-a-service (SaaS) platform built on AWS. Customers can integrate the Salt solution with their own cloud environments in two main ways:

• Inbound integrations help capture the API traffic and get it into the Salt Cloud for analysis.
• Outbound integrations help execute the actionable intelligence, such as blocking malicious traffic through WAF or alerting through a SIEM or SOAR system.

Gathering API traffic from AWS environments can be done through native AWS components, or third-party API systems deployed in AWS. The inbound integrations will send the data directly to Salt Cloud for analysis, or first sanitize it through optional hybrid servers that can be deployed as Amazon Machine Images (AMIs) or containers.

Salt Security supports the following AWS integrations to capture your API traffic:

• Amazon API Gateway (HTTP/REST) via AWS Lambda and Amazon CloudWatch.
• Amazon Virtual Private Cloud (VPC) traffic mirroring for unencrypted (dev/test) traffic.
• Application Load Balancer for encrypted traffic deployed inline.
• Salt Sensor for VPC traffic can be deployed on containers or Amazon Elastic Compute Cloud (Amazon EC2).

For outbound integrations, the Salt platform’s main point of integration in AWS environments is AWS WAF, covering both classic and v2 versions. Based on the “Attacker Events” identified in the Salt console, you can manually or automatically trigger AWS WAF to block the malicious source IPs.

For the purpose of consolidating your security alerts to your AWS environment and tooling, you can send Salt API Attacker Events and “Remediation Events” to Amazon CloudWatch.

Figure 2 – Salt Security on AWS deployment options.

Common API Threats

What types of attacks are the API-specific threats that need specialized protection? With the increase of API-related security incidents and breaches, OWASP released the first-ever API Security Top 10 at the end of 2019 to raise awareness about the most common API security threats plaguing organizations.

This list is being updated currently to reflect the latest 2023 reality, and Salt experts are contributing to this major update.

In this post, we picked the most prevalent type of API threat as a detailed example where a dedicated API security platform brings the most value. Deploying AWS WAF and Amazon API Gateway can be reinforced by the contextual API security capabilities of Salt Security API Protection Platform. This combination is able to baseline healthy API traffic and understand the business logic behind the APIs.

API1:2019 Broken Object-Level Authorization (BOLA)

Broken object-level authorization (BOLA) is the most common API threat, represented in about 40% of all API attacks.

APIs often expose endpoints that handle object identifiers, creating a wide potential attack surface. Object-level authorization is an access control mechanism usually implemented at the code level to validate a user’s ability to access a given object.

Attackers can easily exploit API endpoints that are vulnerable to BOLA by manipulating the ID of an object that’s sent within an API request. These vulnerabilities are extremely common in API-based applications because the server component usually doesn’t track the client’s state. Instead, the server component relies on parameters like object IDs sent from the client to decide which objects can be accessed.

Potential Impact of BOLA Attacks

Any access of unauthorized data is severe, regardless of its data classification or data sensitivity. These types of authorization flaws are also not easily detectable with automated static or dynamic testing.

Failure to enforce authorization at the object level can lead to data exfiltration as well as unauthorized viewing, modification, or destruction of data. BOLA can lead to full account takeover, such as in cases where an attacker can compromise a password reset flow and reset credentials of an account they aren’t authorized to.

Figure 3 – Example of a BOLA attack.

Customer Case Study

A major regional payment processing and ecommerce FinTech company present in 30+ countries that has already processed hundreds of millions of transactions decided to reinforce its security regime with an API-focused solution.

The company wanted to benefit from the scalability and additional protection of a dedicated API security solution, because the team needs to handle dozens of millions of API calls each day, but still use existing AWS WAF v2 for blocking malicious connections.

The customer is using Amazon API Gateway, AWS Lambda, and Amazon Simple Queue Service (SQS) to process daily reports on balances. The company’s entire revenue stream depends on APIs, so the risk of data exposure or abuse through APIs is high. They are consistently targeted continuously by probing, low-and-slow, and the entire “menu” of OWASP API Security Top 10 set of attack types.

The deployment also integrates with the customer’s NGNIX system and forwards API calls directly for detection to the Salt API security platform. Based on this implementation, the existing security operations center (SOC) team could handle the API security workloads without additional headcount.

Summary

APIs are notoriously difficult to secure with traditional security products. As with other software, APIs have a complex development and deployment lifecycle, and a specific security approach is required in each specific phase.

The Salt Security platform allows for the analysis of API traffic that exposes complex attacks, including those identified in the OWASP API Security Top 10 list.

Customers deploying Salt on AWS can tap into the API traffic through different integration points with AWS services including Amazon API Gateway. The captured API requests and responses are then sent to Salt for security analysis (directly or sanitized through a customer-resident server), where actions can be taken automatically, including blocking executed through AWS WAF service.

Learn more about what the OWASP API Security Top 10 means for your cloud environment, and book a demo with the Salt Security API security expert team. You can find the Salt Security API Protection Platform in AWS Marketplace.

.

.

Salt Security – AWS Partner Spotlight

Salt Security is an AWS Competency Partner that delivers an API threat detection solution on AWS.

Contact Salt Security | Partner Overview | AWS Marketplace