Imperva Cyber Community

Expand all | Collapse all

API Security Questions

  • 1.  API Security Questions

    Posted 26 days ago
    Hi, a few questions about API Security:

    1. What kind of API protection do we get by default without API Security module enabled?

    2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

    Thank you




    #APISecurity
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Max
    ------------------------------


  • 2.  RE: API Security Questions

    Community Manager
    Posted 26 days ago
    @Max X,

    Thanks for the post! I am trying to get you some good answers to your questions here, but in the meantime, take a look at a few things that I think you will find helpful.

    @Peter Klimek hosted a couple of webinars on the topic and covered Imperva API Security in depth. 
    1. Introduction to Imperva API Security: Community Webinar - This webinar is focused on helping security professionals better understand API's, the unique challenges of securing API's, and most importantly, how to identify and address common weaknesses in API's. 
    2. Securing API's Part 2 Mitigating Input Validation Vulnerabilities Community Webinar - This webinar will explore in depth how API's are susceptible to Mass Assignment and Injection attacks, OWASP API Top 10 #6 & #8 respectively. We will walk through the vulnerabilities with code examples, demonstrate live attacks, and finally walk through the mitigations that security practitioners can apply to prevent and stop these attacks from occurring.

    Community Blogs that could be helpful: 
    Enforcing API Schema Specifications in Imperva
    Creating Custom Error Responses for APIs




    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: API Security Questions

    Community Manager
    Posted 26 days ago
    @Max X 
    Here is another answer I received from one of our experts: "An API is an automated process that looks and smells like a BOT - in most cases it must be whitelisted w/o API protection.​"



    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 4.  RE: API Security Questions

    Posted 26 days ago
    Thank you Christopher, I am closely familiar with the links above.

    As to the response from the experts - I think it is aimed to answer Q1. Is the way to interpret it - "API projects have zero benefit from being placed behind Imperva Cloud WAF w/o API Security enabled? In fact, there could harm/interference via Imperva's Bot Protection"?
    ​​
    And what about Q2: Gartner MQ 2020 states - "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

    ------------------------------
    Max
    ------------------------------



  • 5.  RE: API Security Questions

    Imperva Employee
    Posted 26 days ago
    Hi Max,
    By default, Cloud WAF will automatically parse and protect JSON (REST/GraphQL), XML (Web Services), and Protobuf (gRPC) payloads without any additional configuration or features required.  This will apply any WAF rules (SQLi, XSS, Unauthorized Resource Access, etc.) or custom Rules and IP ACL's against those payloads automatically. 

    The API Security feature is designed to extend this functionality for REST API endpoints and will enforce the Swagger/OAS specification that is defined for the endpoint.  It's important to note that this subset of features is applicable to REST API's only today, however we're looking at expanding this further in the future to more broadly apply to GraphQL and gRPC services as well.

    Cheers,
    Peter

    ------------------------------
    Peter Klimek
    Principal Architect
    Imperva
    ------------------------------



  • 6.  RE: API Security Questions

    Posted 26 days ago
    Thank you Peter. And what about support for websockets, webhooks and server-side events (SSE)?

    ------------------------------
    Max
    ------------------------------