1 minute read
5. Secure your APIs to secure your business
APIs cannot detect, prevent or respond to automated attacks, and they are relatively simple to breach. By reverse engineering apps that connect API endpoints, the perpetrator gains access to the API and the capacity to carry out a myriad of bot attacks.
Attackers will always look for the easiest point of entry and your bot management solution must be equipped to cover all attack vectors. APIs used to share data between banks and TPPs or mobile applications are particularly at risk of exposure to new threats and require a more robust security solution. JavaScript based solutions for instance, would only typically cover websites accessed through browsers but not API traffic from mobile applications or other services.
WAF and CDN based solutions provided by bolt-on bot suppliers, derive from traditional approaches such as blacklisting and IP blocking and fail to provide the analysis of the bot’s behaviour and intent. This can lead to loss of confidence if legitimate users are stopped or delayed from reaching the point of conversion on your site. Attackers will attempt to gain entry to the API layer via its three vulnerable access points: the browser, mobile applications and API server. It is vital that your API layer is protected by best-of-breed technology that is designed to complement existing controls such as WAFs and CDNs, while providing comprehensive coverage of the APIs access points without complex mobile SDKs.
Equally, your bot management technology must adapt as user-behaviour and bot techniques evolve. To achieve this, the technology must look specifically at what the bots are doing to determine intent and motive.
