The Gaps in Today's API Security

The Gaps in Today's API Security

伝統的なAPI安全性について、

Network privacy - Strong data encryption data to protect data transfer.
Rate limiting - Enforcement of traffic rates to throttle client activity.
Access control - Validation of user identity and application authorization.


もう常識的なことですからね。

新しい脅威としては、

  • Pre-login attacks consist of password guessing or other brute force attempts to compromise API control systems. Attackers often circumvent rate limiting controls by reducing request rates below defined limits. At a minimum, these attacks impact application performance and availability. If successful, hackers may gain access to corporate assets.

  • API/Layer 7 DDoS attacks include multi-node botnet attacks targeting login, session management, or other API services. These attacks attempt to consume resources or crash back-end servers.

  • Post-login attacks are initiated by insiders or hackers with compromised credentials obtained through social engineering, stolen passwords, and other techniques. These attacks are more dangerous as a hacker appears the same as other authorized users and has access to any system authorized for the stolen credentials. Potential data and application attacks include: data exfiltration, deletion or manipulation, memory attacks, taking control of applications, and many other targeted attacks.

  • も考えないといけないですね。
    確かに不正利用対策として、一部施策していますが、まだ不十分ですね。
    全面的にまとめて頂きありがとうございました。