Google today announced a preview of Advanced API Security, a new product headed to Google Cloud that's designed to detect security threats as they relate to APIs. Built on Apigee, Google's platform for API management, the company says that customers can request access starting today.
Short for “application programming interface,” APIs are documented connections between computers or between computer programs. API usage is on the rise, with one survey finding that more than 61.6% of developers relied on APIs more in 2021 than in 2020. But they're also increasingly becoming the target of attacks. According to a 2018 report commissioned by cybersecurity vendor Imperva, two-thirds of organizations are exposing unsecured APIs to the public and partners.
Advanced API Security specializes in two tasks: identifying API misconfigurations and detecting bots. The service regularly assesses managed APIs and provides recommended actions when it detects configuration issues, and it uses preconfigured rules to provide a way to identify malicious bots within API traffic. Each rule represents a different type of unusual traffic from a single IP address; if an API traffic pattern meets any of the rules, Advanced API Security reports it as a bot.
“Misconfigured APIs are one of the leading reasons for API security incidents. While identifying and resolving API misconfigurations is a top priority for many organizations, the configuration management process is time consuming and requires considerable resources,” Vikas Ananda, head of product at Google Cloud, said in a blog post shared with TechCrunch ahead of the announcement. “Advanced API Security makes it easier for API teams to identify API proxies that do not conform to security standards. . . . Additionally, Advanced API Security speeds up the process of identifying data breaches by identifying bots that successfully resulted in the HTTP 200 OK success status response code.”
With the launch of Advanced API Security, Google is evidently seeking to bolster its security offerings under Apigee, which it acquired in 2016 for over half a billion dollars. But the company is also responding to increased competition in the API security segment. Startups delivering API-focused cybersecurity products include Salt Security, Noname Security and Neosec. Many established vendors have expanded their offerings in recent years, too, including Barracuda, Akamai, 42Crunch, Traceable, Ping Identity and Signal Sciences.
While the jury's out on just how well these products perform comparatively, the threat of API-borne attacks is very real. Companies like Peloton, Parler and even LinkedIn have fallen victim to API-driven attacks within the last few months. They're not the only ones. According to a recent study by Cloudentity, 44% of companies have experienced “substantial” API authorization issues pertaining to privacy, data leakage and object property exposure with internal and external-facing APIs.