Stay ahead of API security risks with our latest F5 Distributed Cloud Services release

Ian DinnoSr. Product Marketing Manager

As APIs continue to evolve as the cornerstone of modern applications, especially for AI applications, organizations face mounting challenges in protecting them from emerging security risks. Maintaining visibility, detecting vulnerabilities, and ensuring robust protection are non-negotiables for any API-driven business.

As part of the F5 Application Delivery and Security Platform (ADSP), in our latest F5 Distributed Cloud Services release, we’re introducing many new enhancements designed to tackle these challenges head-on with greater flexibility and efficiency. This release brings exciting, new API discovery options, expanded testing scenarios, and enhanced detection capabilities—all geared toward reducing API security risks while improving overall visibility and compliance.

Let’s explore these new capabilities in more detail.

Expanded API discovery options

Effective discovery of APIs is critical to addressing constantly changing API inventories, particularly with the growing number of shadow and unmanaged APIs that can become security blind spots. Now, with the introduction within F5 ADSP of expanded discovery options for F5 BIG-IP and F5 NGINX, additional proxies/gateways, and air-gapped environments, organizations have greater flexibility to uncover and secure APIs across their diverse apps and environments. Each new discovery option is tailored to meet unique app and infrastructure requirements, offering organizations a more comprehensive set of capabilities to enhance API visibility.

• API discovery for BIG-IP: For organizations leveraging BIG-IP TMOS, we’re extending our F5 Distributed Cloud API Security discovery capabilities with out-of-band API discovery options. This enables BIG-IP customers (with versions 15.1 and up) to inspect API traffic processed through their virtual servers with clear visualization in the console of Distributed Cloud Services. Through this integration, BIG-IP customers gain the ability to take full control of their APIs by detecting unknown, shadow, and deprecated APIs, enriching their API inventories with precise and up-to-date documentation, and seamlessly managing API security through a unified solution from a single vendor. (You can see it in action here.)
• API discovery support for additional proxies and gateways (early access): API requests often flow through a variety of proxies and gateways, making it difficult for organizations to maintain comprehensive visibility into their entire API ecosystem. Understanding all APIs, regardless of deployment location, the services in front of them, or how requests move across the infrastructure, empowers organizations to monitor behavior, detect potential threats, and address API sprawl more effectively. This visibility is vital for consistent API security across diverse environments.
  
  With this release, we’ve extended out-of-band API discovery capabilities to NGINX OSS, NGINX Plus, Kong, and Apigee proxies with verified integrations and introduced a universal discovery solution enabling log collection from virtually any gateway or proxy, allowing organizations to analyze API activity, detect unmanaged APIs, and visualize their API ecosystem centrally within the the console of Distributed Cloud Services.
  
  This is currently available in early access, presenting the opportunity for organizations with a variety of gateways and proxy technologies to test out how they can strengthen their API security posture.
• Local API discovery (early access): As part of this latest release, we now offer local API discovery for air-gapped and regulated environments, where external data sharing isn’t an option due to compliance or security constraints. Using deployable software for local API discovery with a dedicated console, organizations can gain insight into APIs flowing through their BIG-IP virtual servers 100% locally, without sending any sensitive data to the cloud. Local API discovery has been designed for industries operating in tightly controlled or cloud-constrained environments.
  
  This is also currently available in early access, enabling organizations with air-gapped environments to test out how they can strengthen their API security posture and meet compliance or regulatory requirements.

These expanded API discovery capabilities enable businesses to detect shadow (unknown), unmanaged, or forgotten APIs, generate OpenAPI schemas and documentation, and enrich API inventories with sensitive data detection and risk insights.

By offering the flexibility to meet diverse app architectures and security/compliance requirements, these new options empower organizations to address evolving API security challenges with ease without having to make changes to their applications, major architectural decisions, and/or compliance tradeoffs for the sake of API security.

Expanded API testing suite with new scenarios

Continuing to strengthen the proactive security capabilities offered via F5 Distributed Cloud API Security, this release expands the breadth of API testing capabilities available in the service, covering more vulnerabilities identified in the OWASP API Top 10. Specifically, new scenarios have been added that enable organizations to test for API1 (Broken Object Level Authorization) and API4 (Unrestricted Resource Consumption) vulnerabilities. These additions help organizations understand any hidden risks within their API code that can lead to:

• Unauthorized access to resources.
• Insecure token handling.
• Excessive data exposure.
• Resource saturation and misconfigurations.

By enriching our API testing suite, organizations will be able to detect a wider range of potential vulnerabilities earlier in the development lifecycle through integration with and automated testing of API code repositories. Organizations may then implement remediation before production, significantly reducing exposure and the potential for exploits across their API threat surface.

Enhanced threat detection across OWASP API Top 10 vulnerabilities

Not only have we enhanced our API testing, but we are also continuing to improve our traffic-based threat detection mechanisms because we know securing APIs against emerging threats is a continuous challenge and that you, our customers, need protection against a broad range of evolving threats.

With this latest release, we’ve strengthened many of our existing detection capabilities with some new additions to improve protection against critical OWASP API Top 10 threats, giving organizations deeper insights into attack or exploit attempts and suspicious API activity in production.

Here are the new detection capabilities at a glance:

• Detect Broken Object Property Level Authorization (BOPLA) attacks: Improved detection for BOPLA exploits helps spot abuse of request parameters in API requests. By detecting these anomalies, organizations can better prevent attacks exploiting BOPLA vulnerabilities that can lead to data leaks and privilege escalation attempts.
• Automatic Extraction of JWT: By identifying and extracting JWTs in API requests, we improve user/client identification and tracking. This is critical for Broken Object Level Authorization (BOLA) detection, and provides improved accuracy and attack traceability for long-term security insights.
• Broken Authentication detection enhancements: The new release flags incidents of unauthenticated access on endpoints that require authentication, ensuring critical vulnerabilities in authentication logic are immediately visible. These insights enable rapid corrective measures to be enacted to tighten API endpoint security.
• Improved Anomaly Detection for Broken Function Level Authorization (BFLA) attacks: Our expanded anomaly detection capabilities help identify potential BFLA exploits targeting administrative endpoints. By verifying proper “claims” for authenticated users, organizations gain real-time evidence of unauthorized attempts targeting sensitive admin functions.

These detection enhancements empower organizations to gain real-time visibility into critical attack attempts, such as BOLA, BOPLA, BFLA, and Broken Authentication vulnerabilities. By identifying threats accurately, organizations can maintain a strong security posture across complex API ecosystems and more proactively prevent attacks and exploits. With these capabilities, organizations are better equipped to safeguard their APIs and reduce their API security risk.

Building security into the API lifecycle

With expanded API discovery, testing, and detection capabilities, this release highlights a continued commitment from F5 through our Application Delivery and Security Platform to empower organizations to improve security across the entire API lifecycle. From uncovering shadow or deprecated APIs more effectively across all apps and architectures regardless of deployment method, to mitigating early-stage vulnerabilities and more effectively detecting live threats, we’re committed to helping you maintain visibility and control in the most complex, distributed, and diverse app and API ecosystems.

To learn more, read our press release. Also, explore F5s complete set of API security capabilities today via our product page and take the next step toward optimizing your API security posture with F5.

For customers interested in the early access offerings mentioned here, be sure to connect with your local F5 account team for more details.

About the Author

Ian DinnoSr. Product Marketing Manager

More blogs by Ian Dinno