According to Gartner's March 2022 API survey, a staggering 98% of organizations currently use or plan to use internal APIs, up from 88% in 2019. Additionally, 90% of organizations utilize or have plans to utilize private APIs provided by partners, up from 68% in 2019.

Focusing solely on protecting your public-facing APIs leaves a significant blind spot in your API security posture. Our latest findings, detailed in the Q1-2023 API ThreatStats™ report infographic, confirm this fact.

In our analysis of publicly released API vulnerabilities during Q1-2023, we observe an increase in the number of vulnerabilities, with severity levels consistently in the High range. However, as past reports have revealed, it's what lies beneath the surface that can have a substantial impact.

For detailed insights, we encourage you to explore the complete report on the Wallarm blog. 

Shadow APIs are undocumented or unmonitored public APIs that pose a significant security risk to an organization. These may include third-party APIs and services that the company uses but does not track, or in-house developed tools for internal or customer use. The new Wallarm API specification comparison feature allows security and operations teams to discover Shadow APIs.

Shadow APIs put businesses at risk, as attackers can exploit them to gain access to critical systems, steal valuable data, or disrupt operations, further compounded by the fact that APIs often act as gatekeepers to critical data and that a range of OWASP API vulnerabilities can be exploited to bypass API security. Recent reports highlight that the majority of businesses have Shadow APIs that are vulnerable to attacks, and cybercriminals are increasingly targeting these weaknesses.

With Wallarm's solution, SecOps and Security Analyst teams can now identify Shadow APIs, including external, internal, and 3rd party developed APIs. The solution gives security teams the ability to compare and validate their API specifications with the ones automatically built by Wallarm API Discovery. In this way, the SecOps and Security Analysts can detect any discrepancies that may indicate the presence of Shadow APIs, allowing them to quickly take action to mitigate potential security risks.

Don't wait until it's too late - start using Wallarm's new Shadow API detection feature today and safeguard your API infrastructure from potential attacks!

We are thrilled to announce the release of the new API Discovery Dashboard. With this update, you can now more easily monitor sensitive data, track API changes, and identify risky endpoints.

Key new features of the API Discovery Dashboard to materially reduce your risk exposure include:

• Monitoring Sensitive Data. Get more in-depth insights into what kinds and how much sensitive data are sent in requests to applications and if there are any extra data that shouldn't be there.
• Tracking API Changes. Get better visibility into any unexpected or undocumented changes in your APIs across your entire portfolio.
• Identifying Risk Endpoints. Get a greater understanding of your API attack surface with customizable risk scoring to bring the most risky and most attacked endpoints to your immediate attention.

There are many other capabilities offered by the API Discovery module that can improve your API security. For instance, Security analysts and Security DevOps can receive notifications in Slack, SIEMs, SOARs, etc. about changes that occur in their APIs, so they can stay up-to-date and take action right away.

We are sure that the new API Discovery Dashboard and other important capabilities in the API Discovery module make it easier for you to monitor and secure your APIs.

You can find more information about these capabilities in our documentation.

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is number one in OWASP API Security Top 10 list. Facebook, Verizon, T-Mobile, Microsoft, and Google are among the companies which have been breached via this vulnerability.

When an application includes an BOLA / IDOR vulnerability, it has a strong probability of exposing sensitive information or data to attackers. All the attackers need to do is exchange the ID of their own resource in the API call with an ID of a resource belonging to another user. Thus, every API endpoint that receives an ID of an object and performs any type of action on the object can be an attack target.

In order to protect your application from BOLA, you need to know all endpoints which can be the target of this vulnerability. This is where Wallarm API Discovery comes in. This module analyzes the structure of your application and finds endpoints in which the object ID is passed. Wallarm automatically creates a trigger to protect endpoints which are most likely to be victims of a BOLA attack. The trigger monitors the number of requests to a specified endpoint and creates a BOLA attack event when trigger thresholds are exceeded.

The trigger for protection from BOLA requires Wallarm Node version 4.2 and higher.

See the Wallarm documentation for more details.

Your API inventory may contain thousands of endpoints. Some may handle sensitive data, and others may become targets of attack. In addition, your endpoints may have open vulnerabilities with different threat levels. And of course your API inventory is constantly and rapidly changing - new endpoints are added, existing endpoints are changed or removed. With such large amounts of data to assess, it can be difficult to focus on the endpoints issues that have the most significant impact your security posture. 

To keep your applications safe, the Wallarm API Discovery provides the following data:

Which of your endpoints are attacked the most
The Wallarm API Discovery module displays the number of malicious requests (hits) executed against your endpoints on a per-endpoint basis. You can triage your endpoints by filtering and sorting the list to find those that have been attacked the most.
 
Stay on top of your riskiest endpoints
The Wallarm API Discovery module automatically calculates a risk score from 1 (low risk) to 10 (high risk) for each endpoint in your API inventory. The risk score criteria includes: the presence of sensitive data, the number of parameters passed to the endpoint, etc. This score enables you to understand which endpoints are most likely to be an attack target and therefore should be the focus of your security efforts. For example, an endpoint that handles sensitive data and can be the target of a BOLA attack would have a higher risk score than an endpoint that simply passed an JSON object with several parameters.

You can find more detailed information about these features in our documentation.

With these new dashboard widgets, you can now easily analyze critical vulnerabilities and identify weaknesses in your system:

• The CVEs widget shows you what vulnerabilities are being used by attackers when attacking your infrastructure, allowing you to assess the impact and take protective measures as necessary.

• The Authentication widget shows you which authentication protocols are being targeted by attackers, allowing you to identify weaknesses and compromised credentials, and take preventative steps as necessary.

You can find more detailed information in our documentation.

When defending your APIs, you need a clear understanding of their structure, what resources they use, and how users or systems interact with them.

The Wallarm API Discovery module automatically determines which API hosts are accessible from external networks and which from internal networks, using real traffic data rather than relying on the documentation provided by the development team. This allows you to analyze your API structure more effectively, enabling you to use different scenarios and approaches for internal vs external resources. For example, it is probably much more critical to know if PII is being transmitted to externally-accessible endpoints as opposed to endpoints which are only internally accessible.

See the Wallarm documentation for more details.

APIs are like living organisms, always changing and evolving. It is essential to keep track of such changes, as they can seriously affect the security of your entire solution. For example, PII and other sensitive data may unexpectedly begin transferring to an endpoint, or you have a new undocumented endpoint, also known as a Shadow API.

The Wallarm API Discovery module solves these problems. This module continuously keeps track of changes that occur in your APIs and displays them in the Wallarm Console:

• which endpoints appear in your API structure
• what changes have occurred in these endpoints
• which endpoints are no longer called and should be assessed

See the Wallarm documentation for more details.

See the Wallarm documentation for more details.We have improved our dashboards to make it easier to analyze malicious traffic and identify critical attack vectors:

• The new API Protocols widget raises the visibility of the system's protocols and the associated attacks. This widget helps you to detect the emergence of new unapproved protocols or track a significant change in the number of attacks. With one click you can go from the widget to the Events tab to analyze the details of attacks on the selected protocol.

• The Attack Sources and Attack Targets widgets are now more compact, making it easier to analyze the location of threat sources and the assets that these threats are directed at. The widget "Attack Targets" have now two view option: statistics by domains and statistics by applications. This enables you to analyze attacks surface even for misconfigured applications.

See the Wallarm documentation for more details.

It's now easier to configure protection against API abuse, bruteforce or dirbusting attacks. Use an updated interface of Triggers:

• The Bruteforce trigger defines classic bruteforce attack protection against specific URI based on the number of incoming requests.
• The Forced browsing trigger forced browsing attacks allows to protect your apps against dirbusting (based on application 404 response codes)

In the simplest case, it is enough to enter the URI when creating the trigger. Wallarm will collect statistics from all the distributed Wallarm nodes deployed across your whole infrastructure.

When required, you can also use regular expressions (for example. wildcard URLs) or specify specific request headers (such as cookies) using the advanced view. Read more in our documentation.

Note: There is no need to edit your existing rules. However, previous rules “Add forced browsing attack tag to requests”, “Add brute force attacks tag to requests” will no longer be visible in the Rules section.