API Security and Threat Protection

< API Management Home

Create secure REST APIs to grow the value of IT assets.

APIs are revolutionizing IT across industries by enabling enterprises to expose their backend applications, databases and other information assets for reuse in new Web, mobile and cloud apps. In this way, APIs help enterprises to quickly, easily and economically create powerful applications that open new revenue streams and add value to existing offerings.

The popularity of APIs stems partly from the way they use Web technologies that enterprise developers and architects are already familiar with. But in some ways, these new interfaces are fundamentally different from the browser-based Web. Specifically, while APIs are vulnerable to many of the same threats that plague websites, they demand a new approach to online security.

APIs expose sensitive on-premises systems and data for use beyond the firewall, creating a range of new attack vectors for hackers to exploit. Because APIs use new styles and protocols (e.g. REST, JSON), new security threats have emerged, which exploit traditional Web security’s inability to account for these technologies. So, APIs require a strong, API-specific security infrastructure.

Read the White Paper: Protecting your APIs Against Attack and Hijack

Deploy an API-centric security infrastructure.

While conventional Web security proved unable to address the security requirements for APIs, many organizations had already deployed middleware gateways to secure IT assets exposed to partners and customers via service oriented architecture (SOA). Architecturally, these SOA gateways were ideally placed to centrally secure the flow of data to and from Web APIs.

Consequently, leading SOA gateway vendors have added API-specific security features to their products. These features enable the gateways to inspect all data flowing between backend systems and the client applications that leverage these systems, in order to prevent unauthorized access to client apps, malicious misuse of APIs and targeted attacks on backend systems.

CA API Gateway delivers a broad range of API-centric, enterprise-grade security and threat protection. The OAuth Toolkit, a pre-integrated component of the gateway, simplifies the process of applying strong authentication and authorization controls to API-based resources. CA Mobile API Gateway adds security measures specifically for mobile use cases.

Read the Data Sheet: CA API Management

Guard your data with industry-standard API attack protection.

These products represent the latest iteration of the Layer 7 SecureSpan SOA Gateway technology, which consistently achieved high levels of security certification, including FIPS 140-2. In July 2014, this Gateway technology had its Common Criteria certification renewed, making it the only technology of its kind to achieve this level of “military-grade” security certification.

CA API Gateway continues to deliver industry-standard threat protection measures, including:

  • Validation of HTTP parameters, REST query/POST parameters, JSON data structures etc.
  • Prevention of cross-site scripting (XSS), SQL injection and denial-of-service (DoS) attacks
  • Identification of suspect activity to monitor patterns and potential threats

Additional measures include support for:

  • OAuth and OpenID Connect-based authentication
  • Secure identity federation and single sign-on (SSO)
  • SAML-based security tokens
  • Proxying of mobile streaming protocols such as WebSocket and XMPP
  • PKI and certificate management

HMAC, RSA, SHA and fast elliptic curve cryptography

Read the Data Sheet: CA API Gateway


5 Simple Strategies for Securing APIs

Adopt a secure API architecture to counter API-specific threats.

5 Simple Strategies for Securing APIs


5 OAuth Essentials for API Access Control

Create a framework to address the complex challenges associated with implementing OAuth.

5 OAuth Essentials for API Access Control