VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Taking API Firewalling to the Next Level



One of the chief functions of an API Gateway is to act as an API Firewall. Many people are familiar with a Web Application Firewall (WAF), but may not be familiar with the concept of the API Firewall. You can think of an API Firewall as a "WAF++", because as well as blocking Web Application attacks such as SQL Injection, it must also block API-level attacks such as API Key replay attacks, or (for older style XML Web Services) the infamous XML Bomb. When I wrote my Web Services Security book back in the early 2000s, I didn't now that, today, attacks such as the XML Bomb would still be a concern.

In 2015, API Security is vital because APIs are the foundation of so much of the digital world. Randy Westergren has shown how APIs can be a weak link in Internet of Things (home automation systems in that case).  Troy Hunt has shown that APIs also are often the point of security weakness for mobile apps. Because API Security is an important topic, it's vital to drive awareness. With noted expert Gunnar Peterson, we've been publicizing API Security: you can view the Top 10 API Security Issues video, and read the associated White Paper on API Security here
We're also pleased to announce new API Firewalling features in our API Gateway. We had a major announcement about these features this week. The new API Firewalling features include:
  • Built-in rules to implement best practices for protecting against common threats such as the OWASP Top 10 Attacks.
  • Support for ModSecurity-based rule sets to allow companies to leverage all free or commercial rules sets built by one of the largest communities of threat protection experts in the world. Companies can also implement their own ModSecurity-based rule sets.
  • Black- and white-listing rules to combine the best of both types of threat protection.
Adding support for ModSecurity is a big deal because it means that Axway customers can leverage the ecosystem of existing ModSecurity rules. As Alexei Balaganski of the analyst firm Kuppinger Cole notes in the release announcement, "By adding API Firewalling capabilities that can leverage existing rulesets from the Open Source ModSecurity project, Axway has further expanded the scope of API security and threat protection of their offering."

To further highlight the importance of API Firewalling, last week we did a joint webinar with Smartbear where we demonstrated API Firewalling in action (showing a vulnerable API being protected). You can view the recording of the webinar here.

We're also proud that Axway earned the distinction of “Leader” in KuppingerCole’s “Leadership Compass for API Security Management” analysis report (you can download a free copy of the report from the Axway Website). The report examined various vendors’ capabilities within the API security management market and Axway was positioned among the Leaders within all four API security management leadership categories.

There have been many API Security issues recently (including Buffer and the IRS). An API Firewall protects against these threats, which is so important in the new Digital age, when mobile apps and IoT depend on APIs. I look forward to more and more awareness of API Firewalling in the future.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.