The world’s leading integration event, MuleSoft CONNECT 2021, has come and gone and we are left with so many nuggets of integration wisdom from industry leaders to MuleSoft and API subject matter experts.
We’ve parsed through all the topics, talks, and sessions to extract the most critical thing for all organizations, sectors, and entities: API Security.
Reports indicate that “by 2022, API abuses will be the most frequent attack vector for enterprise web applications data breaches.” Following on this trend, Radware released their ‘2020-2021 State of Web Application Security Report’ which finds that API security is the most critical hole enterprises should patch in 2021.
In their 2020 State of APIs report, Google reported a ‘year-over-year 172% rise in abusive traffic,’ highlighting how many companies have more than doubled their number of protection rules from 2019 to 2020.
API Attacks at a Glance
So, what exactly does an API attack look like?
In 2018, 530+ Million profiles were leaked from Facebook from an API vulnerability in the code that was exploited by hackers. Even Mark Zuckerberg’s information was leaked in the process.
So what were the API-related issues that allowed for the hack?
- Broken Object-Level Authorization
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
It just so happens that all of the issues found with the Facebook post-incident assessment are also listed in the Open Web Application Security Project (OWASP) API Security Top 10 list, the authoritative list of API vulnerabilities.
According to security experts, this data breach could have been avoided had Facebook implemented the following API security compliance standards and protocols:
- Enforce and test authorization on all external/internal APIs
- Define/test/enforce limits on incoming and return payloads including number of elements.
- Implement Rate Limiting
- Implement Monitoring
Facebook is not alone with hackers exploiting flaws in their APIs. Parler, Clubhouse, Venmo, and hundreds of others have made headlines with data breaches occurring directly through their APIs. This coincides with the report released by Salt Security that in 2020, 91% of organizations in their survey reported an API security incident.
With the ever-increasing demand for faster, more agile development to support integrations, how is an organization able to manage automated security controls and enforce security policies across all of their APIs and integrations?
Let us introduce you to MuleSoft Anypoint Security. Solution: Mulesoft Anypoint Security
Anypoint Security is part of the MuleSoft Anypoint Platform and is offered to provide users with a way to secure their entire application network in a layered approach.
MuleSoft accomplishes this by providing Secret store Management, Tokenization, access control to APIs, API policy enforcement, inbound and outbound proxying, rate limiting, and a plethora of other security features that follow OWASP recommended procedures.
Anypoint Security Features
Policies
Holistically, Anypoint Security provides access to policies that serve as traffic filters for threat detection and prevention. These policies will work hand in hand with Mule application-level policies that are set within the API Manager.
Policies available for use within Anypoint Security and API Manager:
- Denial-of-Service (DoS)
- IP whitelist
- HTTP Limits (TCP protocol message size and headers)
- Web Application Firewall (OWASP Core Rule Set)
- Rate Limiting
- OAuth
- Authorization and Accounting (AAA)
- Advanced TLS
- Basic TLS
- API Gateway Policies
In many instances, enabling these policies on application nodes is as easy as toggling a switch from within the Anypoint Security platform.
Secrets Manager
Anypoint Security Secrets Manager is a functionality that gives an organization the ability to securely store TLS certificates and keystores for MuleSoft deployments. Included in the secrets manager is the ability to create secret groups for granular, segmented access and authorization control option within your organization.
MuleSoft Anypoint Security currently supports the following secret types:
- TLS Context
- Keystore
- Truststore
- Certificates
- Certificate Pin Set
- CRL Distributor
Tokenization Service
Tokenization services through Anypoint Security are available to prevent exposure of sensitive data, such as credit card numbers, PII, PHI, or any deemed sensitive information with unique tokens. Anypoint Tokenization provides the ability to utilize the Format-Preserving Tokens which preserves data formats to work with existing data structures and data validation systems.
Masking options are also available within the Tokenization service to hide sensitive data.
Next Steps
The API economy continues to grow…FAST!!! Demand for connected services and faster deployments is driving massive growth in API usage. In other words, demand for API integration isn’t going away.
With the increase in access to critical information, the need to secure the data and data channels has grown exponentially. For many, this requirement is driven by industry compliance standards, but all sectors should have an unwavering focus on data security and protecting sensitive information.
Successful API integrations, management, and security are critical to ensuring your sensitive data doesn’t become a headline. A secure management system is also fundamental in creating a high-maturity API ecosystem.
MuleSoft Anypoint Security is a valuable tool to securely manage your APIs — giving you peace of mind as you deploy and integrate your core business with the growing API world.
