On August 26th, the IDC 2022 CSO Global Cybersecurity Summit (China Station) was grandly opened in Shanghai, where the "IDC TechScape: China Data Security Development Roadmap, 2022" was released for the first time. The aim is to help users build a comprehensive data security governance system, empowering them to achieve data security governance goals through key capability modules of various data security and password technologies in the governance system. WebARY has been selected as a recommended vendor for the transformational technology curve "API Security" technology, which is an important recognition of WebARY's continuous innovation and accumulation in the field of API security technology.

The TechScape released this time selected 18 emerging and important data security technologies for analysis, and classified them into three categories: transformational technologies, dominant technologies, and opportunity technologies based on their market impact and development stages. By conducting detailed research on the deployment, risk level, market popularity, and other aspects of each individual technology in the field of data security, three recommended vendors are provided for each technology to provide technical references for end users in product selection. WebARY has been selected as a recommended vendor for "API Security" technology in the IDC China Data Security Development Roadmap.

API security protection should be approached from a global perspective of full lifecycle management

The report "IDC TechScape: China Data Security Development Roadmap, 2022" shows that in the current era of booming application development, APIs have become the foundation for application connectivity and innovation by integrating application software to better connect applications. They are an important component of modern communication applications. However, the inherent properties of APIs that connect data and content have brought convenience to technology service providers and users, but have also begun to attract the attention of many attackers. Unauthorized access, data tampering and theft, distributed denial of service, SQL injection, etc. have become common means for attackers to use APIs for attacks. API security has gradually become an important field of data security and application security.

Due to the diversity and complexity of APIs, an application may connect multiple APIs from different language systems, which undoubtedly poses great challenges to the API security protection of end users. Many users only realize the risks of APIs after an attack event occurs. Overall, the API security protection challenges faced by end-users mainly focus on incomplete and inaccurate sorting of API assets, weak API testing capabilities during development, security configuration errors, identity authentication and permission control errors, encryption failures, difficulty in continuous detection and monitoring during operation, and weak API security awareness.

API security defined by IDC is a type of solution that helps users mitigate and protect API related security risks. At present, the traditional API protection functions in web application security gateways and other products are no longer sufficient to protect against increasingly complex API attacks. API security should be managed and controlled from the perspective of full lifecycle management, starting from API security development and deployment (API testing, etc.), in conjunction with encryption, identity authentication, permission control, API security testing, detection, monitoring, threat protection, threat handling and other capabilities.

WebRAY API Security Protection System helps with API security governance in the digital age

Based on its technical accumulation in network asset governance and application security, WebRAY has launched a security protection product that integrates API asset sorting and reinforcement protection - the API Security Protection System (RayAPI). Based on the API learning profile, it performs permission reinforcement, attack protection, data protection, and comprehensive auditing to provide comprehensive control measures.

Construction ideas for API security protection system

We can see that the traditional way of relying on API gateways to collaborate with protection devices such as WAF and IPS has gradually exposed drawbacks such as high integration complexity and insufficient targeting. In practical attack and defense, users' demand for dedicated API detection and protection devices is becoming increasingly clear The market leader of Shengbang Security API products said, "It is precisely because we have seen changes in market demand that our R&D team has begun to conduct in-depth research on how to make API security detection more accurate and API protection more precise.

Five core technical capabilities to ensure the security of API applications

In order to meet various security requirements in different environments, RayAPI has gradually developed the following five core technical capabilities:

Active and Passive API Learning Engine

By using an API learning engine that combines active detection and passive traffic analysis, it is possible to comprehensively sort out the API assets that exist in user business, and extract semantics based on traffic characteristics to identify API status, usage, and other attributes, thereby achieving tag based portrait management and automatically sorting out normal APIs, shadow APIs, and problematic APIs.

Heuristic Attack Detection and Protection Engine

Adopting a heuristic detection engine that combines feature detection, semantic analysis, and AI learning, the judgment logic is simplified through known attack rules and behavioral features, and the engine is continuously trained to enhance its ability to discover unknown risks, thereby protecting against API related injection attacks, command attacks, abnormal access, and illegal content.

API Access Control Based on Human Machine Recognition

The product models and analyzes from the perspectives of traffic changes and behavioral characteristics, sorts out the baseline of API access and dynamically tracks it, identifies and judges unauthorized access, unknown requests, illegal calls, and abnormal high-frequency requests, and uses reverse verification, access restrictions, whitelists, and other methods for access control;

Business oriented API data call control

The product adopts comprehensive checkpoints and rich data processing models, which can accurately identify, summarize, and classify sensitive organizational data, personal privacy information, business critical information, and system account passwords based on business characteristics. It also uses erasure, replacement, and access restrictions to achieve desensitization protection and other purposes.

Situation monitoring for the entire lifecycle of APIs

Monitor API assets based on multiple dimensions such as time, space, business attributes, and data types, comprehensively analyze the API's online status, running status, call reliability, data legitimacy, and threat situation, and achieve fine-grained auditing and visual analysis of API assets.

According to an IDC report, from a market development perspective, the API security protection market in China is still in its initial stage of development. However, in the future, with the continuous changes in attack situations and the increasing number of API applications, API security will become an important security sub market and rapidly develop.