API Management

API Security: It's More than Web Security

Since the advent of smartphones over a decade ago, enterprises and internet companies have focused on building apps to reach customers and to provide a richer, interactive experience. This shift to apps has also impacted threats to the enterprise with bots and malicious actors shifting from attacking web sites to attacking public APIs.

When Apigee’s customers expose critical business functions through APIs, they tempt a variety of bad actors, who try to break in by probing login interfaces or scraping data from catalogs, among other methods.

These threats also exist in web interfaces, of course. But the move toward apps has changed the basic interaction metaphor between the client and server. Apps can store more data and preserve more state between sessions. This, in turn, has changed security paradigms, and new approaches to securing the application using features like an API key have emerged.

More than a firewall

A new security approach based on the application layer is required; one that understands the structure of APIs, rather than security at the networking layer based mostly on traffic volume.

But API security shouldn’t be considered merely an extension of web security. A common method of providing web security is a WAF (web application firewall), which enables one to set rules based on IP addresses and traffic volume, among other things. The intention is to block individual IP addresses from attacking the system.

These rules can be effective in warding off simple attacks, but applying these same techniques to the API layer doesn’t take advantage of the richer data available for analysis and action in the application layer.

More than IP addresses

API traffic analysis can go beyond IP addresses; API keys and access tokens can be scrutinized. If the analysis determines that a combination of the IP address and API proxy is under attack, the action taken (blocking or tagging of the IP) can also be fine-tuned to the appropriate scope.

In other words, API security enables a finer degree of control to block specific bad actors within the appropriate context rather than blocking all traffic from an IP address. The API security layer should be part of a multi-layered approach to protecting back ends against malicious behavior.

Because of its placement in the data stream, an API platform presents an opportunity to monitor for and detect anomalies in API traffic. But the possibilities go beyond detection—and they have to, in order to protect an organization’s backend.


Built on the Apigee Edge API platform, Apigee Sense is a full-cycle API security solution that was purpose-built for APIs. It detects bad behavior patterns at the API level, and blocks bad actors from access based on administrator specifications. Identifying behavior patterns enables a finer grain of control for blocking, so the system doesn’t have to block all users from a particular geography or service provider, which could potentially block normal behavior.

Joy Thomas is a data scientist on Google Cloud’s Apigee team. He is coauthor of “Elements of Information Theory.”