Web Application and API Protection: From SQL Injection to Magecart
First discovered in 1998, SQL injections remain an unsolved challenge and ongoing threat for every web application and API more than 20 years later. The Open Web Application Security Project (OWASP) highlighted injection flaws in its Top 10 lists for both web application security risks and API security threats. For Akamai customers, SQL injections comprised 76% of all web application attacks detected over the past two years.
SQL injections remain a challenge in 2020 for the same reasons that have driven the growth of the World Wide Web (and Akamai with it) over the past two decades:
There is more information online than ever before, including information that has financial value, and is therefore a target for attackers
The number of web applications is rapidly growing, and Akamai customers often have hundreds of applications that collectively represent their digital experience
Web applications have become highly complex, with many different components and technologies; the first-party and open source code in apps pose growing vulnerabilities, as do the many connections between services -- all of which can be exploited at any weak point
Developers don't always think about security, and security teams aren't able to keep up with the increasing number of complex applications they're chartered to protect
All of these factors contribute to the challenges security teams face in keeping protection updated for constantly changing apps. But that's only half of the equation. Rapid iteration also creates a steady stream of possible new vulnerabilities and attack vectors designed to exploit them.
DDoS protection starts with zero-second mitigation
Most customers start their web application and API protection (WAAP) journey with distributed denial-of-service (DDoS) security. After all, applications need to be available before there's any worry about a data breach.
From Operation Ababil to Memcached, the common thread between Akamai's DDoS security services has always been instant mitigation for attacks, backed by an industry-leading zero-second time-to-mitigate service-level agreement (SLA). Akamai designed its content delivery network (CDN) from the start as a reverse HTTP/S proxy that instantly drops all network-layer attacks, which make up the vast majority of all DDoS attacks.
Likewise, our authoritative Domain Name System (DNS) service drops all traffic that is not on port 53 in zero seconds. Prolexic Routed introduced a similar capability in 2013, with proactive mitigation controls tailored to each customer's network profile. Prolexic Routed was also responsible for mitigating the record-setting 1.3 Tbps Memcached attack in February 2018 and 809 Mpps attack in June 2020.
The ability to mitigate even the largest attacks in zero seconds is unique in the industry. Starting with proactive mitigation provides the fastest and most effective method for mitigating the majority of DDoS attacks -- without any additional analysis required. This is especially critical with the DDoS landscape of 2020, where short "hit and run" and large-scale attacks comprising multiple attack vectors are increasing in prevalence.
Both of these trends increase the challenges of analyzing attack behavior and applying appropriate mitigation controls quickly. Defining and dropping abnormal traffic upfront provides a better experience for customers and allows Akamai's Security Operations Command Center (SOCC) staff to focus on attacks that require manual analysis and mitigation.
Demand more from your WAF
Web application attacks such as SQL injection pose very different challenges. How do you protect all of your web applications when a) you don't have enough application security staff or expertise and b) the applications themselves are constantly growing and changing?
The following principles have guided Akamai's web application firewall (WAF) development since 2009, when we introduced the industry's first edge WAF:
Reduce the number of things that require management. Moving to an edge-based deployment model allows you to manage your global WAF configuration with a single interface, instead of having to configure dozens of appliances with every rule change.
Look for anomalies, not Common Vulnerabilities and Exposures (CVE). A CVE-based approach to WAF rules is unwieldy to manage and never gets ahead of the problem. Architecting the WAF around an anomaly scoring engine makes it easier to scale and has been proven effective against some zero-day vulnerabilities.
Curate WAF rules for customers. The most recent Forrester Wave report on WAFs gave high marks to Akamai's internal threat intelligence. Most organizations don't have enough security resources to manage a WAF over time. Akamai threat researchers help by continuously updating and testing WAF rules against live traffic to make enablement easier for customers.
Leverage machine learning where it makes sense. Most security teams won't trust an algorithm to update their WAF rules. Instead, Akamai uses machine learning to analyze live traffic (including 178 billion rule triggers a day) to identify anomalies requiring analysis by Akamai threat researchers.
Automate as much as you can. Because of limited resources, most customers only protect their most critical applications, leaving many applications unprotected. Akamai developed automated protections to secure the rest of the application footprint with a one-time click.
Apply protection based on risk. A reputation-based approach is a common example of protection-based risk. However, it is more effective to go beyond a simple binary score to provide a more accurate risk assessment. This can be done by creating tailored risk scores based on attacker behavior against other customers and industries. In October, we'll be talking more about how to go beyond IP reputation and adapt WAF protections based on risk -- stay tuned.
API security for agile organizations
API security provides an industry-wide lesson on the need to provide a bridge between security teams and developers. Akamai introduced a positive security model for API protection in 2017, allowing customers to define API endpoints with Akamai to drop abnormal traffic and apply WAF inspection. However, this required security teams to have visibility into the APIs developers are creating, which has proven challenging for most organizations. To help bridge that gap, Akamai recommends that API security does the following:
Automatically inspect all API traffic. Akamai now automatically inspects all XML and JSON traffic for web application attacks without requiring APIs to be defined and registered with Akamai.
Automatically discover new API endpoints. In October, we'll be talking about an exciting new capability that will finally allow security teams to keep up with changing APIs by discovering API endpoints and their definitions -- integrated with WAF protections. Stay tuned and check our blog for updates.
Detecting 12 billion bot requests daily
Unlike DDoS and web application attacks, where events can often be identified based on traffic volume or signature, bot attacks have always attempted to blend with human traffic to go undetected. In addition, the more sophisticated bot operators continuously evolve in their attempts to evade detections.
This has driven a major shift in how the industry has approached the problem. Akamai recommends the following practices:
Leverage signature-based rules. Basic bot detection looks like a WAF, with rules based on bot signatures. These basic detections can still easily detect "dumb bots" comprising more than 50% of bot traffic, allowing advanced detections to focus on more sophisticated bots.
Look for anomalies, not attacks. As bots continue to better mimic human behavior, identifying sophisticated bots requires dropping all preconceived notions of what a bot may look like. Instead, machine learning algorithms such as adaptive anomaly clustering look for anomalies in traffic and signals collected from the 1.3 billion devices that Akamai sees daily.
Trust machine learning findings that review a lot of data. Detecting bots requires an algorithmic approach to correlating signals across different applications and customers in real time. However, machine learning requires lots of data to ensure accuracy. Akamai feeds signals from unmatched volumes of first-party data -- 1.3 billion unique clients per day and hundreds of Tbps of traffic -- into our machine learning algorithms to detect 12 billion bot requests and 280 million bot logins every day.
Manage, don't mitigate. While bots may be easy to block, bot management remains a cat-and-mouse game between attackers and security vendors. Unlike traditional tools, Akamai's inline architecture provides a wide array of response options to help manage the long-term impacts of bots.
The newest frontier: in-browser threats
Magecart-style attacks started hitting the mainstream in 2018, with major breaches at Ticketmaster, Newegg, and British Airways. These attacks are characterized by the ability to compromise scripts running on modern web pages.
These new types of attacks prove that new attack vectors will continue to be discovered as underlying applications continue to change. In response, security technology will continue to evolve as well.
For in-browser threats like Magecart, Akamai has shifted its approach again to:
Protect in the browser, not in the application. Magecart-style attacks occur in every client's browser, invisible to traditional security tools. Detecting and mitigating compromised scripts running in the browser require implementing protection into the browser.
Continuously monitor script behavior. Sophisticated script attacks can be executed in a fraction of a second and gone before you notice them. Akamai's unique approach continuously monitors script behavior, allowing you to catch even transient threats.
Look for anomalies even in legitimate scripts. With malicious code injected into compromised scripts, in-browser threat protection must identify unusual changes in behavior even for well-known, legitimate scripts.
From SQL injections to Magecart, the challenge of protecting web applications and APIs will continue to grow -- with new attack vectors to protect against as well as changing applications. Navigating the evolving threat landscape requires an expanding kit of tools, solutions, and vendors to reduce the risk of doing business online.
Beyond WAAP: enterprise and carrier security
While often the most high-profile targets, data breaches are not limited to web applications. Gartner's secure access service edge (SASE) provides organizations with a broader framework through which to think through your security approach, including secure web gateway (SWG), Zero Trust Access, and DNS security. Your organization should evaluate its full needs and map to different approaches as well as potential solutions. For more information on these markets and more, please see: