Bot mitigation and API security were on the tip of analysts’ tongues at the Gartner IT Security and Risk Summit 2017
I was buzzing after leaving Gartner’s IT Security and Risk Summit, because bot mitigation and API security was front and center amongst some of my favorite Gartner analysts. I already dedicated an entire blog post to Tricia Phillips presentation on Don’t Treat Your Customer Like a Criminal.
And these three presentations were also big standouts:
- Ramon Krikken’s talk on API abuse in the age of public APIs
- Mark O’Neill’s talk on balancing openness and protection in API Security
- Jonathan Care’s talk on tracking transactions and user activity
After taking some time to digest the information and reflect on what I learned, eight things stuck out for me:
- Bot detection and mitigation has gone mainstream. Everywhere I turned there was talk of bad bots. Although there’s still no Gartner Magic Quadrant for Bot Detection and Mitigation, I’ve seen a revolution in bad bot awareness over the past three years. It’s gone from being viewed as a feature of a WAF to a full-fledged stand alone product category.
- I loved Ramon Krikken’s Four Categories of Attacks on Web Applications and APIs. Knowing how much information, from seemingly endless sources, is flying around on web application security, API security, and bot mitigation—I can’t help but feel sorry for customers. Krikken’s four buckets (Denial of Service, Exploit, Abuse of Functionality, and Access Violation) simplifies how to think about the threats facing websites and APIs.
- More businesses have realized that IP rate-limiting, writing rules in a WAF, and CAPTCHAs don’t solve the bad bot problem. While those technologies and techniques have a role to play, they’re either bypassed by sophisticated bots or create too much end user friction (or both!).
- Bot Mitigation makes its way into API security architecture. Although few enterprises have all the products in the architecture diagram below, Ramon Krikken showed where bot mitigation fits in the web application security stack. He also gives a rating system to define the problems bot mitigation solves—its strong against abuse, which OWASP defines as automated threats.
- Mobile security intersects bot mitigation at the API. Bots don’t care if it's your website, mobile app, or API server—they’re after your data, login endpoints, payment processors, etc. Limiting your protection to the website is like locking the front door and leaving your windows wide open.
- The next generation of bot detection is in SDKs and client side sensors. In fact, we just announced General Availability for our mobile SDK, making us the most comprehensive bot defense platform for stopping advanced persistent bots (APBs).
- I was shocked by how many global brands have dealt with API security problems. Nissan, Facebook, Tinder, Yahoo!, Target, Snapchat, IRS.gov, and Pokemon were all in Mark O’Neill’s slide about API breaches. These incidents highlight the importance of API and mobile app security.
- The breakdown of the Snapchat breach really brings the API security problem to light. Someone reverse engineered the Snapchat feature that checks for contacts to build a database of Snapchat users. Was that a breach or just an abuse of existing functionality? I’d say the latter as that functionality was built right into the app.
Beyond these eight items, the conference really spoke to the need for companies like ours to get our message out to a broader audience. Ready to learn more? Visit our Customer Stories section for case studies and video testimonials from customers who have solved the very problems you’re trying to solve.
About the AuthorFollow on Twitter More Content by Elias Terman