The Gaps in Today's API Security
伝統的なAPI安全性について、
Network privacy - Strong data encryption data to protect data transfer.
Rate limiting - Enforcement of traffic rates to throttle client activity.
Access control - Validation of user identity and application authorization.
もう常識的なことですからね。
新しい脅威としては、
Pre-login attacks consist of password guessing or other brute force attempts to compromise API control systems. Attackers often circumvent rate limiting controls by reducing request rates below defined limits. At a minimum, these attacks impact application performance and availability. If successful, hackers may gain access to corporate assets.
API/Layer 7 DDoS attacks include multi-node botnet attacks targeting login, session management, or other API services. These attacks attempt to consume resources or crash back-end servers.
Post-login attacks are initiated by insiders or hackers with compromised credentials obtained through social engineering, stolen passwords, and other techniques. These attacks are more dangerous as a hacker appears the same as other authorized users and has access to any system authorized for the stolen credentials. Potential data and application attacks include: data exfiltration, deletion or manipulation, memory attacks, taking control of applications, and many other targeted attacks.
も考えないといけないですね。
確かに不正利用対策として、一部施策していますが、まだ不十分ですね。
全面的にまとめて頂きありがとうございました。
Comments