APIs make it easier to integrate services, connect data, or make updates, which is why they’re so prevalent in modern applications. As organizations continue to modernize their app portfolios, the number of APIs in use is projected to exceed one billion by 2031.1Tracking—let alone securing—all of those APIs is a challenge, leading to organizations dealing with a number of unmanaged “shadow” APIs in their environment.
Unfortunately, attackers have realized that APIs are often an easier target than applications, demonstrated by the fact that 90% of web-based cyberattacks target API endpoints, per F5 analysis.2Unmanaged APIs create a particular risk, as you can’t secure what you can’t see. Many APIs are also built by different teams or even other companies than those building the apps, limiting visibility into potential risks.
Navigating APIs and the shared responsibility model
Effectively managing and securing large volumes of APIs requires a multi-layered solution. For AWS users, Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. API Gateway supports a variety of backend integrations, enabling containerized, serverless, and traditional instance-based workloads.
However, security is a shared responsibility between AWS and its customers. While AWS is responsible for protecting infrastructure and services, customers must also secure their data and applications.
AWS recommends the following security design principles.3
- Mitigate distributed denial-of-service (DDoS) attack effects
- Implement inspection and protection using a web application firewall (WAF)
- Enable auditing and traceability with near real-time monitoring
- Automate security best practices
- Apply security at all layers for a defense-in-depth approach
Secure APIs on AWS with F5
As an AWS partner, F5 offers security that works with Amazon API Gateway to secure your apps and APIs. F5 BIG-IP Advanced WAF or F5 Distributed Cloud WAF can identify malicious traffic trying to reach the Amazon API Gateway or your API services. You can deploy the WAF in front of or behind Amazon API Gateway. However, deploying it in front of the gateway has the added benefit of preventing malicious API calls that will cost you money.
F5 WAF solutions use behavioral analytics to accurately identify threats and provide layer 7 DoS mitigation, application-layer encryption, and threat intelligence services. Deploying a WAF protects your applications and APIs against attacks, including those in the OWASP Top 10.
Another important requirement for API protection is discovery. Integrate F5 Distributed Cloud API Security with your CI/CD pipeline to capture API changes without disrupting the development process. Upload an existing API schema to enforce appropriate API behavior and automatically generate policies based on app-to-app and API-to-API patterns. F5 Distributed Cloud API Security also controls connections and monitors for anomalous behavior in API traffic, allowing it to block suspicious activity.
Bots pose another major threat to API security. Several of the OWASP API Security Top 10 threats are weaknesses that can be easily exploited by bots, such as unrestricted resource consumption or broken authentication. Adding F5 Distributed Cloud Bot Defense enables a combination of human experts and machine learning to detect malicious bot traffic while admitting legitimate users and helpful bots.
Get multi-layered API security
F5 offers everything you need to protect your APIs with F5 Distributed Cloud Web App and API Protection (WAAP), providing multi-layered security with unified management. Distributed Cloud WAAP brings consistent security to your apps and APIs no matter where they’re deployed—on AWS, other public or private clouds, on premises, or at the edge.
Find F5 Distributed Cloud WAAP on the AWS Marketplace, allowing you to easily add protection and uphold your end of the shared responsibility model.
Learn more about F5 solutions for AWS at f5.com/aws.
Sources
1. F5, Continuous API Sprawl, Nov. 2021
2. F5, F5 Is Shifting Left to Protect APIs, Feb. 2024
3. Amazon, Security Overview of Amazon API Gateway: AWS Whitepaper, 2023
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...