FASTLY API SECURITY

Protecting APIs everywhere

API securitySecurity

Fastly's API security enables visibility and protection against OWASP Top 10 API Security Risks, payloads targeting specific API protocols, and much more to protect your APIs everywhere they live.

API security for advanced threats

Fastly’s API security is built into our Next-Generation Web Application Firewall (NGWAF). Our protection enhances your security posture, unifies visibility and decisioning, and empowers application development for organizations making their applications faster, safer, and more engaging.

Enhance your security posture

APIs need protection no matter where they operate. The NGWAF runs natively in any cloud, data center, or container, with various deployment options at the code, web server, or API layer. Its flexible deployment enables visibility to external APIs based in tools like Kong or NGINX, and internal APIs like those in a service mesh. The NGWAF inspects all requests at runtime to enable automated traffic decisions like blocking, rate-limiting, and layered rulesets to secure applications from OWASP’s Top 10 API Security Risks, payloads targeting specific API protocols, and other API threats highlighted below. The NGWAF is deployable anywhere and protects your APIs everywhere, so you can scale with a single security partner that protects your applications no matter how you grow.

API Security Categories

Category	Attack Scenario
Unique Identifier Enumeration	Brute forcing sensitive IDs or tokens in APIs that are not searchable or public leads to discovery and exposure of sensitive customer data, unpublished media, payment information, PII, and other confidential data.
Account Takeover (credential stuffing)	Attackers use known lists of compromised credentials from common password lists and breach data dumps to try to gain access to customer accounts through authentication APIs.
Sensitive API Abuse	Targeting sensitive APIs such as gift card and credit card validation and attempting to validate stolen credit cards, perform ecommerce gift card fraud, obtain patient healthcare records.
Malicious bots	Malicious automation and bots are used to perform content scraping, tie up system resources, perform account brute forcing, and other actions.
Partner misuse	While organizations want to provide partners with access to APIs to automate workflow, partners can easily accidentally overwhelm API endpoints and create resource exhaustion or excessive costs through unintended spikes in API requests.
Malicious or disallowed traffic sources	Bad actors using Tor attempt to access APIs from countries or geographies where services aren’t legitimately provided. Or they attempt to perform transactions from OFAC countries blocked due to regulatory compliance.
Insider Threat	User management APIs abused by insiders to grant elevated access or perform a high number of permissions changes.
Policy Enforcement	APIs attempting to be used from an untrusted device that does not contain the right cookie or device identifier
OWASP Injection Issues / Virtual Patching	APIs using unpatched or outdated third party frameworks / libraries, and injection issues such as Command Execution, XSS, SQL Injection, and others.
Rate limiting	Malicious attack tooling that performs a high velocity of requests leading to stolen content or resource exhaustion.
Denial of Service	Targeting high system cost APIs such as database queries, search pagination, data exports, etc.

Unify visibility and decisioning

API security is better in a platform. The NGWAF offers visibility into all API requests and decisioning logic out of the box, reducing the need for multiple solutions to provide comprehensive Layer 7 protection. By combining these two functionalities, the NGWAF offers analytics that can tell complete application security stories. The story can also be easily shared across the NGWAF’s numerous integrations with Security Information and Event Management (SIEM) platforms like Elastic and Datadog to combine its insights into your overarching security narrative. The NGWAF is a security platform that increases data insights and lowers your total cost of ownership, allowing you to make better informed security decisions and reallocate your budget toward new strategic initiatives.

Empower application development

Your security tech stack shouldn’t be a roadblock to API implementation. Using Fastly’s patented SmartParse contextual detection built into the NGWAF, you can easily protect commonly utilized REST and SOAP/XML, as well as recently popularized GraphQL, GRPC, and WebSocket endpoints. This coverage includes GraphQL inspection, which parses the contents of requests to inspect them and ensure malicious payloads aren’t hidden within the call. The NGWAF enables application developers to push releases faster while creating better customer experiences because they can leverage the latest APIs without negative security implications.

Getting Signal Sciences [Fastly] up and running is quick and easy. It was literally a five minute process: with just a few rule changes specific to our authentication flows, we were able to effectively block account takeover attempts in production.

Chick-fil-A

Robert Davis

Get more from your API security

As you expose additional API endpoints, their security shouldn’t be a concern. Join leading companies like Chik-fil-A, Doordash, and Duo, who trust the NGWAF to protect their APIs and more. Contact us to get started.

Blog Post

Exploring the security implications of GraphQL

Learn defaults and controls for a safer and more successful GraphQL implementation.

Read the article

Datasheet

Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Learn more

Case Study

The Weather Company Case Study

The Weather Company forecasts accurate, reliable weather to 400 million monthly active users by partnering with Fastly

Read the case study