SQL injections were first discovered in 1998, and over 20 years later, they remain an unsolved challenge and an ongoing threat for every web application and API. The Open Web Application Security Project (OWASP) highlighted injection flaws in its Top 10 lists for both web application security risks and API security threats.
For Akamai customers, SQL injections comprised 76% of all web application attacks detected over the past two years.
The reasons why SQL injections remain a challenge in 2020 are the same as those that have driven the growth of the World Wide Web (and Akamai with it) over the past two decades:
All of these factors contribute to security teams having difficulty keeping security up to date in constantly changing apps. But that’s only half of the equation. Rapid iteration also creates a steady stream of possible new vulnerabilities and attack vectors designed to exploit them.
Most customers start their web application and API protection (WAAP) journey with distributed denial-of-service (DDoS) protection. After all, applications need to be available before there’s any worry about a data breach.
From Operation Ababil to Memcached, the common thread between Akamai’s DDoS mitigation services has always been instant mitigation for attacks, backed by an industry-leading zero-second time-to-mitigate service-level agreement (SLA). From the beginning, Akamai designed its CDN as a reverse HTTP/S proxy that instantly drops all network-layer attacks, which make up the vast majority of all DDoS attacks.
Likewise, our authoritative DNS service drops all traffic that is not on port 53 in zero seconds. Prolexic Routed introduced a similar capability in 2013, with proactive mitigation controls tailored to each customer’s network profile. Prolexic Routed was also responsible for mitigating the record-setting 1.3 Tbps Memcached attack in February 2018 and 809 Mpps attack in June 2020.
The ability to mitigate even the largest attacks in zero seconds is unique in the industry. Starting with proactive mitigation provides the fastest and most effective method for mitigating the majority of DDoS attacks – without any additional analysis required. This is especially critical with the DDoS landscape of 2020, where short “hit and run” attacks and large-scale attacks comprising multiple attack vectors are increasing in prevalence.
Both of these trends increase the challenges of analyzing attack behavior and applying appropriate mitigation controls quickly. Defining and dropping abnormal traffic upfront provides a better experience for customers and allows Akamai’s Security Operations Command Center (SOCC) staff to focus on attacks that require manual analysis and mitigation.
Web application attacks such as SQL injection pose very different challenges. How do you protect all of your web applications when a) you don’t have enough application security staff or expertise and b) the applications themselves are constantly growing and changing?
The following principles have guided Akamai’s web application firewall (WAF) development since 2009, when we introduced the industry’s first edge WAF:
API security provides an industry-wide lesson on the need to provide a bridge between security teams and developers. Akamai introduced a positive security model for API protection in 2017, allowing customers to define API endpoints with Akamai to drop abnormal traffic and apply web application firewall (WAF) inspection. However, this required security teams to have visibility into the APIs developers are creating, which has proven challenging for most organizations. To help bridge that gap, Akamai recommends that API security does the following:
Automatically inspect all API traffic.
Akamai now automatically inspects all XML and JSON traffic for web application attacks without requiring APIs to be defined and registered with Akamai.
Automatically discover new API endpoints.
In October, we’ll be talking about an exciting new capability that will finally allow security teams to keep up with changing APIs by discovering API endpoints and their definitions – integrated with WAF protections. Stay tuned and check our blog for updates.
Unlike DDoS and web application attacks, where attacks can often be identified based on traffic volume or signature, bot attacks have always attempted to blend with human traffic to go undetected. In addition, the more sophisticated bot operators continuously evolve in their attempts to evade detections.
This has driven a major shift in how the industry has approached the problem. Akamai recommends the following practices:
Leverage signature-based rules.
Basic bot detection looks like a WAF, with rules based on bot signatures. These basic detections can still easily detect “dumb bots” comprising more than 50% of bot traffic, allowing advanced detections to focus on more sophisticated bots.
Look for anomalies, not attacks.
As bots continue to better mimic human behavior, identifying sophisticated bots requires dropping all preconceived notions of what a bot may look like. Instead, machine learning algorithms such as adaptive anomaly clustering look for anomalies in traffic and signals collected from the 1.3 billion devices that Akamai sees daily.
Trust machine learning findings that review a lot of data.
Detecting bots requires an algorithmic approach to correlating signals across different applications and customers in real time. However, machine learning requires lots of data to ensure accuracy. Akamai feeds signals from unmatched volumes of first-party data – 1.3 billion unique clients per day and hundreds of Tbps of traffic – into our machine learning algorithms to detect 12 billion bot requests and 280 million bot logins every day.
Manage, don’t mitigate.
While bots may be easy to block, bot management remains a cat-and-mouse game between attackers and security vendors. Unlike traditional tools, Akamai’s inline architecture provides a wide array of response options to help manage the long-term impacts of bots.
Magecart-style attacks started hitting the mainstream in 2018, with major breaches at Ticketmaster, Newegg, and British Airways. These attacks are characterized by the ability to compromise scripts running on modern web pages.
These new types of attacks prove that new attack vectors will continue to be discovered as underlying applications continue to change. In response, security technology will continue to evolve as well.
For in-browser threats like Magecart, Akamai has shifted its approach again to:
From SQL injections to Magecart, the challenge of protecting web applications and APIs will continue to grow – with new attack vectors to protect against as well as changing applications. Navigating the evolving threat landscape requires an expanding kit of tools, solutions, and vendors to reduce the risk of doing business online.
While often the most high-profile targets, data breaches are not limited to web applications. Gartner’s secure access service edge (SASE) provides organizations with a broader framework through which to think through your security approach, including secure web gateway (SWG), Zero Trust Access, and DNS security. Every organization should evaluate their full needs and map to different approaches as well as potential solutions. For more information on these markets and more, please see: