Real-time Protection Against API Abuse
Prevent Downtime, Account Takeover, and Scraping Attacks
Attacks and data breaches on poorly protected APIs are mounting. Fraudsters exploit API vulnerabilities to steal sensitive data including user information (PII), business-critical content, etc. Modern application architecture trends — including mobile devices, use of cloud systems, and microservice design patterns — complicate security of APIs as now multiple gateways are involved to facilitate interoperability among diverse web applications. The extensive deployment of internal APIs, combined with mobile access and increased dependence on cloud-based APIs, means that web application security defense systems that defend only the external perimeter are ineffective. Also, as new APIs are being added and consumed by businesses on an ongoing basis, API security is not a one-time exercise. ShieldSquare ensures that API usability is not unduly affected, and provides real-time protection against malicious bots to avert API abuse.
Impact of Bots on Application Programming Interfaces
Application Distributed Denial Of Service (DDoS)
Attackers overwhelm APIs by sending traffic from multiple clients. They target business-critical services including login services, session management, and other services critical to application reliability. Attackers also generate API calls that require extensive resources and affect server response time.
Detecting and filtering unwanted traffic including requests from automation scripts is essential to stop DDoS attacks on Layer 7. ShieldSquare bot detection engine analyzes every API request including payload and HTTP headers to identify anomalous behavior patterns, and also performs intent analysis to understand the actual intent behind an API request to filter bad API calls.
Hackers deploy botnets to programmatically send API calls to test stolen credentials. Though API management systems reject invalid login attempts, these systems are incapable of stopping bot herders from trying different combinations of credentials using multiple IPs. Hackers also keep the API requests below the rate limit to make it difficult for conventional API security measures to detect such sophisticated account takeover attempts.
It is important to accurately distinguish between genuine login attempts and malicious credential stuffing attacks. ShieldSquare combines Intent-based Deep Behavior Analysis (IDBA) with collective bot intelligence to avert attempts to directly access login services and execute account takeover attacks.
Scrapers extract data from APIs. They also go beyond extracting data to execute automated form filling. Hackers reverse engineer web and mobile apps to hijack API calls and scrape content. Advanced bot detection measures including browser and mobile integrity checks, combined with fingerprinting techniques are required to filter emulators, and block attempts to reverse engineer web and mobile applications.
ShieldSquare verifies traffic to the API server as well as mobile app server to ensure that only genuine users have access to your APIs. We ensure that attempts to scrape business-critical information are blocked. We also provide rate limiting based on multiple parameters to prevent token cycling and token distribution.
Secure User Accounts and Business-critical Data
Reduce Total API Calls and Unexpected Surge in Third-party API Usage
*1 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
*2 The Forrester New Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester New Wave™ is a graphical representation of Forrester's call on a market. Forrester does not endorse any vendor, product, or service depicted in the Forrester New Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.