How AppSentinels aligns with Gartner API Security Recommendations

The Gartner research paper “What You Need to Do to Protect Your APIs” outlines key requirements for bolstering API security measures. In this blog post, we’ll delve deeper into these requirements as introduced by Gartner, explain their significance, and demonstrate how AppSentinels offers comprehensive solutions for each requirement.

Step#1 – Discovery:

As per Gartner, the second step is to assess the security of these APIs. This includes identifying risks such as configuration errors and breaches of compliance standards. AppSentinels conducts comprehensive evaluations to uncover vulnerabilities, including Common Weakness Enumerations (CWEs), OWASP API & Web Top 10 techniques, and critical CVEs to identify gaps. It also detects shadow, dormant, or orphaned APIs. It also identifies unauthenticated APIs and API access patterns from both public and internal addresses. It flags these for review to prevent possible human errors. Additionally, AppSentinels leverages its 5-stage advanced data classification engine to discern the types of data handled by APIs, enabling organizations to maintain control over users’ PII and ensure compliance with regulations such as GDPR and HIPAA.

Step#2 – Posture Management:

Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), and Security Misconfigurations are three unchanged OWASP Top 10 API vulnerability categories in the 2023 list. Positions for BOLA and BFLA remain unchanged, while Security Misconfigurations went down by one place.

BOLA remains a go-to attack vector for malicious users and remains in the #1 position, as fine-grained Object-level authorization mechanisms are complex and challenging to implement.

Step#3 – Testing:

Every organization is striving to accelerate innovation. Organizations sometimes struggle to complete happy path testing in this rush, and security testing is mainly compromised. The problem is further compounded as traditional AST tools, such as SAST, DAST, or IAST, treat APIs as stateless entities and can’t effectively test API security workflows. Organizations rely on ad-hoc pen-testing or run expensive bug-bounty programs to circumvent this. Gartner further suggests that testing should be embedded in the development life cycle, where vulnerabilities can be remediated as they are uncovered, and before they are pushed into production.

AppSentinels offers the industry’s first Intelligent, Stateful automated API pen-tester, which conducts automated testing that covers OWASP Top 10, OWASP API Top 10 techniques, and business logic flaws. It tests complete API workflows, not just single stateless APIs. It further ensures every API is tested with all applicable varieties of test suites. It’s like having an army of pen testers working and continuously testing applications against security flaws. This helps organizations build secure code FASTER.

Step#4 – Protection:

As APIs transition to production environments, they necessitate runtime protection against potential attacks. Adequate API protection requires a deep understanding of application behavior to differentiate between regular and malicious requests adequately. AppSentinels AI/ML models can do this effectively by building a deep understanding of the application behavior, including happy-path scenarios and critical workflows.

AppSentinels monitors every user interaction and swiftly detects outliers indicative of malicious activity. It can identify events like data leakages, tampering, and automated attacks, and can also block malicious API sessions that bypass authentication or authorization privileges.

AppSentinels can block API sessions OR threat actors on its own or via numerous integrations it supports with API Gateways (API-GW) OR Web Application Firewalls (WAFs).

AppSentinels’ full-lifecycle API Security Platform aligns seamlessly with Gartner’s best practices for API security, offering robust solutions across discovery, posture management, testing, and protection.

Frequently Asked Questions