APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in modern web applications using microservices, cloud, and hybrid environments. However, this also underscores the vulnerabilities that accompany their widespread adoption.

“Many organizations use a variety of security tools, such as SAST, DAST, SCA, or point solutions for API security that often operate in isolation, without a unified platform to integrate their findings. Moreover, the absence of integration between these tools leads to a fragmented view of the application security posture and results in uncoordinated efforts and gaps in security coverage. Similarly, SAST & DAST tools offer limited coverage for API-specific issues and focus predominantly on code vulnerabilities,” commented Kunal Modasiya, Vice President, Product Management, CyberSecurity Asset Management, Qualys. “Mainly, these solutions fail to extend their assessment to the runtime or environmental threats where APIs operate and provide visibility into the vulnerabilities of the underlying infrastructure hosting these APIs, leaving significant security gaps at the network and host levels.”

Qualys API security addresses and allows organizations to:

1. Measure API risks across all attack surfaces with a unified view of API security by discovering & monitoring every API asset across diverse environments, enabling better decision-making and faster response times.
2. Communicate API risks like OWASP API Top 10 vulnerabilities & drift from OpenAPI specs with real-time threat detection and response, minimizing the risk window and enhancing overall security.
3. Eliminate API risks with integrated workflows supporting Shift-Left & Shift-Right practices, bridging the gap between IT and security teams, promoting seamless collaboration, and improving operational efficiency.

Key features of Qualys API

1. Comprehensive API discovery and inventory management
   Qualys WAS with API Security automatically identifies and catalogues all APIs within an organization’s network, including internal, external, undocumented, rogue, and shadow APIs. Whether APIs are deployed in multi-cloud environments (AWS, Azure), containerized architectures (Kubernetes), or API gateways (Apigee, Mulesoft), Qualys’ continuous discovery ensures an updated inventory across all platforms, preventing unauthorized access points and shadow APIs.
2. API vulnerability testing & AI-powered scanning
   Qualys provides comprehensive API vulnerability testing using 200+ prebuilt signatures to detect API-specific security vulnerabilities, including those listed in the OWASP API Top 10, such as rate limiting, authentication & authorization issues, PII collection, and sensitive data exposure. Moreover, for large applications, Qualys combines the power of deep learning and AI-assisted clustering to perform efficient vulnerability scans. This smart clustering mechanism targets critical areas, achieving a 96% detection rate with an 80% reduction in scan time.
3. API compliance monitoring
   Qualys performs both active and passive compliance monitoring to identify and address any drift or inconsistencies in API implementation and documentation in adherence to the OpenAPI Specification (OAS v3). Clear, standardized API documentation, in adherence to OAS, ensures that shared documentation is easily understood by recipients, simplifies security assessments and enforcement, and enhances the accuracy of code, benefiting both automated tools and human developers. Qualys also continuously monitors APIs for compliance with industry standards such as PCI-DSS, GDPR, and HIPAA to ensure that APIs remain compliant with evolving regulations, avoiding potential fines and enhancing data protection.
4. API risk prioritization with TruRisk
   Qualys leverages its proprietary TruRisk scoring system, which integrates multiple factors such as severity, exploitability, business context, and asset criticality to prioritize risks based on overall business impact, ensuring that the most critical vulnerabilities are addressed first. It also categorizes risks based on the OWASP API Top 10, helping organizations focus on the most prevalent and severe API security threats.
5. Seamless integration with Shift-Left and Shift-Right workflows
   Qualys integrates seamlessly with existing CI/CD tools (e.g., Bamboo, TeamCity, Github, Jenkins, Azure DevOps) and IT ticketing systems (e.g., Jira, ServiceNow), supporting both shift-left and shift-right security practices. This facilitates automated security testing and real-time threat detection and response without disrupting development workflows. By bridging the gaps between IT and security teams, Qualys ensures smoother operational transitions, improving API security practices and reducing the risk window.

• Scale – Intelligently scale NGINX instances and services with global policy controls using CI/CD automation to drive workflows, service configuration and provisioning, and multi-cloud‑ management.
• Insight – Improve business decisions, troubleshooting, and SLAs with uniform visibility across NGINX instances, apps, APIs, and security posture.
• Governance – Provide each team supporting apps and APIs with self-service workflows, single sign-on (SSO), and role-based access control (RBAC) – all while making sure they remain compliant with organizational and industry standards.
• Security – Achieve the robust security enterprises’ demand with tools that enable comprehensive visibility and policy control over the entire NGINX environment.

F5 NGINX Management Suite is the successor to NGINX Controller, which was a centralised management platform released in 2017. Following NGINX’s 2019 acquisition by F5, the technology evolved over time to become a suite of modules built on a common, easy-to-deploy platform that can scale to future use cases and support challenging customer environments.

“As organizations have accelerated towards API-first microservice architectures and Kubernetes, ADCs and classic API management have become less relevant for DevOps teams,” said Jenn Gile, Head of NGINX Product Marketing. “Enterprises rely on NGINX for everything from content caching and load balancing to API delivery and Kubernetes Ingress. However, like most software, a single NGINX instance is easy to manage manually, but watching over many can be tedious. The F5 NGINX Management Suite was specifically created to make managing customers’ NGINX fleet a pleasure rather than a chore by providing holistic visibility and control of NGINX instances, application delivery services, API management workflows, and security solutions.”

Written by Cameron Camp, Security Researcher at ESET

As swarms of IoT gear, seek richer data retrieval from their cloud mother ships, the more robust – and more potentially dangerously hackable – API interfaces get a fresh push toward center stage. With Google’s API security initiative Apigee, API security is growing up. And it’s not just IoT. Machine-to-machine data behind super-slick UX designs need seamless interfaces that help move masses of data with less friction, offering more responsive mashups of tech polled from locations far and wide.

But to make this all “just work”, those more robust interfaces bake in more robust attack possibilities to potentially slurp data wholesale to parts unknown and at record speed. Recently, we wrote about the spate of new startups at this year’s RSA Conference that tried to get attendees to wrap their heads around how to make sure an API doesn’t suddenly start misbehaving or does stuff no one knows about until it’s too late. It’s not just us: our friends at DarkReading purport to tally the mounting business losses associated with API hacks.

And now the heavyweights are moving into this space too, cementing API security as “A Thing”. Google’s Apigee Advanced API Security for Google Cloud aims to let organizations identify API misconfigurations and thwart malicious bots, the former being one of the main culprits of API security incidents. Luckily, there are tools from folks like the OWASP API Security Project where you can do a health check on your own APIs, or on those you interface with, which can serve as a baseline. They also have a drill-down about the most common misconfigurations and how to avoid them, so it’s a great place to start.

As we mentioned in our previous post, there was a bevvy of API security startups darkening the halls at RSA, so you may also have some commercial options, with more coming in the future. Expect to continue to see API hacks ramp up as companies wrestle with the prospect of securing yet another interface, this time an industrial one that sits at the heart of the cloud and big data, and – configured wrong – can allow vast troves of data to be siphoned off around the world to parts unknown. Just make sure it’s not your data.