Win. Place. Show. Gone are the days when bettors stand in lines sporting a folded-up newspaper in their back pockets waiting to bet on the next horse race. Nor is everyone communicating through a plastic window, verifying from their marked-up newspapers which horses they are sure will place first, second and third in hopes of hitting that magical trifecta and the huge monetary bundle that goes along with it. Today, the picture looks different. Although many are still attracted to betting in person, online betting sites like FanDuel allow you to watch and bet on live horse racing from hundreds of tracks worldwide. In fact, over half of all horse racing wagers are now placed online.
APIs are the veins and arteries behind the vascular system of modern applications that make online sports better possible. But as cyber threats remain rampant, APIs are also a major target of nefarious actors in the online world. These unique interfaces are vulnerable to credential stuffing, distributed denial of services (DDoS), and other threats that can compromise your business. In fact, Gartner noted just last year that by 2025, 50% of data theft will be due to unsecured APIs.
To combat these growing threats, Edgio has recently updated its multi-layer WAAP solution
The first enhancement is the availability of JSON Web Token (JWT) authentication to secure APIs, so you know users are who they claim to be. The tokens, consisting of a header, a payload, and a digital signature, are signed either using a private secret or a public/private key. A compact and self-contained way to securely transmit information between parties, JWT secures API endpoint access to address significant risks including broken authentication, which has been a persistent presence on the OWASP Top 10 API Security Risks.
This measure also allows for authorization of API requests at the edge, improving performance and security while enabling customers to move API Gateway functions closer to users. By transferring their request validation from cloud infrastructure to the edge, our clients leverage Edgio’s ultra-low latency environment to improve the performance and security of API traffic with detailed control over API access and real-time mitigation of attacks closest to where they originate. This enhances availability and lowers costs for managing mission-critical API endpoints.
The second set of enhancements are to its Advanced Rate Limiting solution, which limits access for people (and bots) to access applications based on the rules/policies set by the API’s operator or owner. This solution provides additional controls to protect against a wide range of automated threat use cases including fraud, DDoS, and API abuse. With this update, tracking user requests can be done across longer periods of time to detect low and slow DDoS attacks designed to exhaust their resources without a noticeable spike in resource consumption. The ability to incorporate user session and supplemental custom identifiers (such as with TLS fingerprints) enable you to shape application traffic granularly, ensuring accurate detection of advanced persistent attacks.
Taking rate limiting one step further, Edgio is offering response-based rate limiting to help customers defend against attacks aimed at bypassing cache and causing elevated errors that overwhelm applications. This feature enables customers to apply rate limits based on specific origin error conditions (e.g. 504 errors), helping mitigate these sophisticated DDoS attacks.
Conclusion
In spite of growing API traffic, it has been estimated that less than 10% of organizations have implemented dedicated API testing and threat modeling programs. The move to better security is clearly needed. Whether you’re monitoring APIs in sports betting, in retail this holiday season, or wherever your business takes you, getting a handle on how to protect them against the rash of threats at the edge is crucial.
As cybersecurity executive, Stephane Nappo once said, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” Let Edgio help you preserve your reputation for years to come with these new enhancements to our Web Application and API Protection (WAAP) solution and more.