In this guest blog post, Srija Reddy Allam, Cloud Security Architect at Fortinet, describes the usefulness and vulnerability of APIs in modern business as well as how to secure them with Fortinet solutions.
Applications and application programming interfaces (APIs) have become integral parts of modern business. Whether we are using our phones, visiting websites, or interacting with applications, it's the APIs that perform the tasks behind the scenes. Despite their significance, these applications and APIs are highly vulnerable, posing a potential threat to business operations. According to Forbes, in 2023, hackers gained access to the health information of more than 41 million people in U.S. hospitals and doctors’ offices with API data transferred in healthcare services.
In today's rapidly evolving cybersecurity landscape, modern businesses often encounter a myriad of challenges when it comes to securing their APIs and web applications. Let's delve into a common scenario that illustrates these challenges:
Consider a fictional e-commerce company, Acme Corp, which operates a popular online marketplace where customers can browse and purchase various tech products. Acme relies heavily on its web application to provide a seamless shopping experience for its users, with APIs facilitating communication between different components of the system. Now, imagine that Acme Corp’s website experiences a surge in traffic during a highly anticipated flash sale event. Cybercriminals, aware of the increased activity, launch a coordinated attack aimed at exploiting vulnerabilities in its APIs and web applications, potentially leading to data breaches, unauthorized access, or service disruptions and zero-day exploits. As cyber threats evolve, attackers may leverage previously unknown vulnerabilities to bypass traditional security measures and compromise the integrity of web assets.
Authentication and authorization mechanisms play a pivotal role in safeguarding APIs and web applications. Without robust identity verification processes in place, the company risks unauthorized access to its systems, potentially leading to data theft or manipulation.
Insufficient monitoring poses another challenge. Without real-time visibility into API traffic, shadow APIs, and web application activity, the company may struggle to detect and respond to security incidents promptly. This lack of monitoring could allow attackers to exploit vulnerabilities undetected, resulting in prolonged exposure to cyber threats.
Lastly, web app and API changes add another layer of complexity to Acme Corp’s security efforts. As the company updates its APIs to introduce new features or address vulnerabilities, ensuring continuous learning about parameters and APIs, providing updated security without disruption to operation is crucial.
In response to these challenges, companies rely on web application firewalls (WAFs) with API security measures as frontline defenders against cyberthreats. FortiWeb WAF helps safeguard against common vulnerabilities like injection attacks and cross-site scripting, zero-day threats, API security, and many others, ensuring the integrity of web assets and mitigating the risk of data breaches or service disruptions.
As a cloud security architect at Fortinet, I will describe the problems, features, and most widely adopted architecture to ensure the safety of your web applications and APIs.
Fortinet and Microsoft Azure address these key issues
It is crucial to safeguard your applications with a web application and API firewall. A Fortinet FortiWeb (Cloud/SaaS and VM offering) subscription from Microsoft Azure Marketplace, available with a 14-day free trial, helps you solve and mitigate the aforementioned challenges.
FortiWeb Cloud’s main features include:
1. Web application security
- Known signature database: FortiWeb cloud incorporates a robust known signature database, fueled by FortiGuard Labs, to defend against established threats. Leveraging this database, it adeptly identifies malicious messages within HTTP requests directed at web servers. Additionally, it extends its protective capabilities to safeguard sensitive information through features such as file protection, information leakage prevention, and cookie security. It provides better exposure management through continuous monitoring, signatures, threat intelligence integration, and regular penetration testing.
- Anomaly detection with machine learning (ML): To thwart zero-day and sophisticated threats, FortiWeb Cloud uses ML-driven anomaly detection. With continuous learning, the system distinguishes malicious behavior from standard client actions to deliver a proactive defense against emerging threats.
- Bot mitigation: To safeguard websites and APIs against automated attacks, the Bot Mitigation module offers comprehensive features for identifying bots, including biometrics and the analysis of suspicious traffic patterns. The ML-based bot identification capability detects abnormal user behavior, such as unusual amounts of HTTP requests or TCP connections, to enhance protection against malicious activities.
2. API security
- Schema-based security: FortiWeb Cloud provides versatility by seamlessly adapting to various API structures including OpenAPI/Swagger framework, JSON, or XML/SOAP formats. It provides schema-based validation to prevent vulnerabilities like API-based security misconfigurations and SQL injection attacks.
- ML-based API discovery: The presence of undocumented (shadow) APIs poses a huge threat to applications. FortiWeb Cloud addresses this by offering ML-based API discovery and anomaly detection, ensuring the protection of API endpoints that are not documented. It provides schema security by learning the REST API data endpoints from user traffic and enhances threat protection by analyzing the patterns of parameters in API requests.
- API gateway: The API gateway feature on FortiWeb Cloud provides access management capabilities, allowing for the efficient administration of API users. It facilitates the generation and verification of API keys, implements rate limiting, and enables precise control over user access.
3. Logging and threat analytics
- FortiWeb Cloud offers a comprehensive threat management system, providing a detailed list of threats across all applications, along with in-depth attack information for troubleshooting and analysis. Real-time export of traffic logs to Azure Blob Storage enables long-term storage, facilitating continuous monitoring, analysis, and alerting.
- The Threat Analytics feature, a unique benefit offered by FortiWeb Cloud, employs ML algorithms to identify attack patterns across the entire application landscape. It aggregates these patterns into security incidents, assigning severity levels. For SOC teams, this functionality aids in providing security posture by distinguishing real threats from informational alerts and false positives in their SecOps lifecycle, allowing focused attention to the most critical security concerns.
Recommended Azure architecture
The below-recommended architecture ensures robust security for workloads and applications across various Azure deployment scenarios, including virtual machines (VMs), serverless apps/app services, Azure API Management (APIM Service), and Azure Kubernetes Service (AKS). Leveraging FortiWeb Cloud provides a front-line defense against web-based threats. FortiWeb seamlessly integrates with Azure Front Door (CDN) to reduce latency for application traffic and providing advanced security. Azure Load Balancers optimize performance and health checks, while FortiGate instances, deployed as Azure Network Virtual Appliances, serve as Next Generation Firewalls (NGFWs) to enforce security policies. Workloads in different Virtual Networks (VNETs) are strategically peered to a dedicated Security VNET, streamlining traffic through the NGFW for comprehensive protection. This architecture offers a versatile and scalable security solution, ensuring the resilience of applications across diverse Azure deployment models.
Figure 1. Architecture recommended by Fortinet to ensure robust security for workloads and applications.
FortiWeb Cloud emerges as a robust solution by solving challenges in Azure like scalability, seamless integration with Azure-native services, blocking attacks before the cloud perimeter, security posture, and visibility. With globally distributed caching centers, FortiWeb Cloud reduces latency and helps with scaling coverage of your applications for users all around the planet. FortiWeb Cloud seamlessly integrates with key Azure services such as AKS, APIM, App Services, and Front Door, offering enhanced security for applications without requiring significant changes to existing infrastructure. DevSecOps lifecycles will benefit by integrating threat intelligence from FortiWeb Cloud to reduce alert fatigue and SOC teams can improve cloud posture and visibility. All of these features come in a hosted and managed Software as a Service and integrate seamlessly into Fortinet’s Security Fabric to provide a strong shield for Azure cloud infrastructures.