The bot detection company Distil Networks announced today the rollout of Bot Defense for API, a bot mitigation solution for API security. Distil’s solution prevents bots from accessing public API servers for web and mobile, an underprotected area that is increasingly targeted by malicious users.
The rise of the API economy has brought with it an explosion of API usage, but API security is still a relatively immature market, with many companies maintaining in-house solutions, or in the worst case, no security at all. A 2016 Gartner report on securing mobile apps noted that, “A common challenge with mobile apps is how to securely integrate them with back-end systems, which means securely exposing APIs. A typical failure sees developers write APIs that can be either intercepted or reverse-engineered by downloading the public app from an app store. Once the attackers deduce how the app uses the API, they attempt to directly access the API and potentially harvest API keys or other credentials from the app.” An April 2016 report from Ovum, sponsored by Distil, investigated API security and found that of 100 companies surveyed, 21% of respondents lacked protection in one or more attack vectors, leaving them vulnerable to API automated scraping, API malicious usage, API developer errors, or web and mobile API hijacking.
Distil is hoping to capitalize on the lack of API security solutions with Bot Defense for API. Distil’s API security solution can be deployed as a standalone service or added to an existing API management solution, and offers the following features for web and mobile:
Bot Defense for Web API:
- Advanced Fingerprinting that evaluates 200+ device attributes
- Known Violator Database
- Client-side Interrogation
- Browser-Not-Present Detection
- Machine Learning Models that pinpoint behavior anomalies to site-specific and universal user behavior
- Device-Based Rate Limiting
Bot Defense for Mobile API:
- Mobile SDK
- Mobile Token Management
- Detection of Device Emulators
- Automation Detection against external testing systems
- Reverse Engineering Detection
- Device-Based Rate Limiting