Examine the Role of WAAP, WAF, TLS and mTLS in Protecting APIs from Advance Cyber Attacks |
||
 |
 |
|
| © 2024 by IJCTT Journal | ||
| Volume-72 Issue-11 |
||
| Year of Publication : 2024 | ||
| Authors : Piyush Dixit | ||
| DOI : 10.14445/22312803/IJCTT-V72I11P101 | ||
How to Cite?
Piyush Dixit, "Examine the Role of WAAP, WAF, TLS and mTLS in Protecting APIs from Advance Cyber Attacks," International Journal of Computer Trends and Technology, vol. 72, no. 11, pp. 1-7, 2024. Crossref, https://doi.org/10.14445/22312803/IJCTT-V72I11P101
Abstract
Cyber-attacks on Application Programming Interfaces (APIs) have become extremely advanced and sophisticated, posing novel challenges in securing APIs. This has generated a dire need to use equally sophisticated cyber security tools for protection. APIs have become unarguably indispensable in connecting disparate software application systems both within and outside an enterprise. APIs help to move data effectively and even help organizations generate revenue by selling data and services. These factors have significantly surged the number of APIs that are being built, consequently increasing the cyber attack exposure for the companies, exposing them over the web for bad actors to exploit. Attackers often exploit numerous vulnerabilities in APIs left behind due to poor cyber security practices during implementation or hosting. The vulnerabilities enable bad actors to gain unauthorized access to sensitive data and systems within an organization. What has worked as fuel to the fire is the easy availability of malicious no-code type software and tools that can launch automated attacks, bypass standard security measures in place, stay completely undetected, and sometimes even be untraced from intrusion detection systems. There is a gap in current research on these topics which only highlights the necessity to implement some basic cyber defense mechanisms but does not specifically highlight the role and usage of some advance tools like WAAP, WAF, TLS & mTLS, which help bolster API security. This study aims to examine and present these advanced protection tools available to defend against complicated modern cyber-attacks and establish an approach to how organizations can implement these security measures to protect APIs.
Keywords
API Security, WAF, WAAP, TLS, mTLS, OSI, Layer 7, Layer 4, TCP/IP, HTTPS.
Reference
[1] Kinza Yasar, Web Application Firewall (WAF), 2023. [Online]. Available: https://www.techtarget.com/searchsecurity/definition/Web application-firewall-WAF
[2] Ronghua Sun, Qianxun Wang, and Liang Guo, “Research Towards Key Issues of API Security,” CNCERT 2021, Communications in Computer and Information Science, pp. 179-192, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[3] Josué Alejandro Díaz-Rojas et al., “Web API Security Vulnerabilities and Mitigation Mechanisms: A Systematic Mapping Study,” 2021 9th International Conference in Software Engineering Research and Innovation (CONISOFT), San Diego, CA, USA, pp. 207-218, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[4] Fatima Hussain et al., “Enterprise API Security and GDPR Compliance: Design and Implementation Perspective,” IT Professional, vol. 22, no. 5, pp. 81-89, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[5] What Is WAAP, Akamai. [Online]. Available: https://www.akamai.com/glossary/what-is-waap
[6] Web Application and API Protection (WAAP), Imperva A Thales Company. [Online]. Available: https://www.imperva.com/learn/application-security/web-application-and-api-protection-waap/
[7] What Happens in a TLS Handshake SSL Handshake, Cloudflare. [Online]. Available: https://www.cloudflare.com/learning/ssl/what happens-in-a-tls-handshake/
[8] PCI DSS Quick Reference Guide, PCI Security Standards Council, 2018. [Online]. Available: https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
[9] Summary of the HIPAA Privacy Rule, US Department of Health and Human Services, 2022. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
[10] What does the General Data Protection Regulation (GDPR) Govern, Reform of EU Data Protection Rules, European Commission, 2016. [Online]. Available: https://commission.europa.eu/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation gdpr-govern_en
[11] Dionisie Gitlan, Cipher Suites Explained in Simple Terms: Unlocking the Code, SSL Dragon, 2024. [Online]. Available: https://www.ssldragon.com/blog/cipher-suites/
[12] What is an SSL/TLS Certificate, AWS. [Online]. Available: https://aws.amazon.com/what-is/ssl-certificate/
[13] Why use TLS 1.3? Cloudflare. [Online]. Available: https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/
[14] Josh Lake, TLS (SSL) Handshakes Explained, Comparitech, 2023. [Online]. Available: https://www.comparitech.com/blog/information security/tls-ssl-handshakes-explained/
[15] Arthur Bellore, The TLS Handshake Explained, Autho by Okta, 2023. [Online]. Available: https://auth0.com/blog/the-tls-handshake explained/
[16] What is Mutual TLS mTLS, Cloudflare. [Online]. Available: https://www.cloudflare.com/learning/access-management/what-is-mutual tls/
[17] Neil Madden, API Security in Action, Manning Shelter Island, 2020. [Online]. Available: https://cdn.ttgtmedia.com/rms/pdf/bookshelf_apisecurityinaction_excerpt.pdf
[18] OWASP Top 10 API Security Risks, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0x11-t10/
[19] API7:2023 Server Side Request Forgery, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa7 server-side-request-forgery/
[20] API8:2023 Security Misconfiguration, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa8- security-misconfiguration
[21] API9:2023 Improper Inventory Management, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa9 improper-inventory-management/
[22] API10:2023 Unsafe Consumption of APIs, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xaa unsafe-consumption-of-apis