Our advanced, holistic approach to API security moves beyond a ‘shift left, shield right’ strategy. As threats emerge at every stage of API development, the limited, siloed approach of traditional and legacy solutions continues to expose organizations to API blind spots by focusing on either code analysis or production traffic alone.
We created a multi-lens, single platform solution to shine a light on the entire API development lifecycle, ensuring protection against threats wherever they exist across your API estate.
Introducing API security into your development at the earliest possible stage ensures you can eliminate security vulnerabilities in the source code. Wib’s Fusion Defense uses static code analysis to scan customer repositories and detect API endpoints and logic vulnerabilities. It directly integrates with source code management (SCMs) providers such as GitHub, Bitbucket, and GitLab.
Testing your APIs and reviewing their resilience against attacks is a critical step in securing your APIs. As every API is unique, the testing stage must contain specific tests for each of the APIs in your code. Our Fusion Defense provides automated testing to validate identified vulnerabilities and fixes that have been implemented to remediate or patch them.
As some vulnerabilities only emerge just before or in production, protection at this stage is the final piece of the security puzzle. Wib’s Fusion Defense analyses API traffic – through traffic mirroring, agent-based, wasm/plugin, sidecar or dedicated API gateway – to enable the detection of API security incidents in real-time.
Fusion Defense continuously tests your APIs in the development and testing stages to identify API security vulnerabilities in the code. This provides organizations with insights earlier in the development process instead of relying on finding vulnerabilities in the live environment. Fusion Defense liberates enterprise to innovate, free from the associated security risks of modern application development.
Our API PenTesting service will test your API business logic and empower you to meet your compliance requirements.
The advanced intelligence of Wib’s Fusion Defence was designed to protect organizations against the OWASP top 10 API security vulnerabilities. These attacks aim to exploit the capabilities and features of APIs to gain unauthorized access to sensitive information or systems, disrupt operations or steal valuable resources.
These attacks evade traditional and legacy technologies such as Web Application Firewalls (WAFs) and API Gateways, which rely on predefined rules and patterns to identify and block potentially malicious traffic. Detection therefore requires an advanced, intelligent API security solution.
BOLA/Broken Object Level Authorization
Broken Authentication
Excessive Data Exposure
Lack of Resources & Rate Limiting
Broken Function-Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface issue. Object-level authorization checks should be considered in every function that accesses a data source using an input from the user.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws to assume other user’s identities. Compromising a system’s ability to identify the client/user, compromises API security overall.
In generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
APIs often fail to restrict the size or number of resources that can be requested by the client/user. Not only can this impact API server performance, leading to Denial of Service (DoS), but it also leaves the door open to authentication flaws such as brute force.
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Mass Assignment
Security Misconfiguration
Injection
Improper Asset Management
Insufficient Logging & Monitoring
Binding client-provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
APIs tend to expose more endpoints than traditional web applications, making full and updated documentation highly important. Proper hosts and deployed API versions inventory also help mitigate issues such as deprecated API versions and exposed debug endpoints.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Get complete and absolute visibility of your entire API estate with automated API documentation and inventory with Fusion Discovery.
Liberate your business from API security constraints that threaten digital innovation.