Ruishu Information: The fast-moving consumer goods industry faces severe API attacks, and API security governance is imperative

In the digital age, traditional fast-moving consumer goods companies have transformed and upgraded online. A large number of businesses are connected through channels such as APP, mini-programs, H5, and WeChat, and various online marketing activities are carried out directly to consumers, such as: scanning codes to receive red envelopes, collecting cards to receive gifts, sharing to get instant discounts...

However, behind the booming FMCG industry, black market elements have long been waiting for opportunities to take advantage of the big brands. Data shows that if companies do not control risks during marketing, the proportion of black market elements is generally above 20%, and some even reach 50%. The marketing costs of various brands lost by black market elements are very high, ranging from tens of thousands to hundreds of thousands or even millions per day.

The reason why fast-moving consumer goods companies are easily targeted by the black industry is that, on the one hand, these companies have rich promotional activities to attract new customers, from which the black industry can quickly obtain high profits; on the other hand, the rapid increase in online business of fast-moving consumer goods companies has led to an explosive growth in the number of calls to the API interface, which has opened up risk exposure and API has quickly become a new target of black industry attacks.

Fast-moving consumer goods companies face three major challenges in API security

Under the trend of digitalization, FMCG companies have moved almost all of their businesses, including core businesses, online, and are increasingly relying on APIs to integrate a large number of systems and achieve interaction between businesses. According to surveys, each company currently manages more than 350 APIs on average, of which 69% of companies will open these APIs to the public and their partners. In the retail industry, API traffic accounts for more than 83%.

As the interface of online business, API bears the heavy responsibility of connecting services and transmitting data, involving a large amount of user sensitive information and business data. For this reason, attacks that obtain data through API are becoming more and more popular among hackers: on the one hand, attacks against API are more anonymous, and on the other hand, enterprises usually do not protect APIs as well as applications such as websites. With the rise of automation tools, the threshold and resource requirements for hackers to attack APIs are lower.

In fact, API attacks have a serious impact on the business security of fast-moving consumer goods companies.

In terms of business security, FMCG companies often encounter malicious behaviors such as hacking, fraud, order fraud, stealing, and inventory hoarding. Since the "stealing" group is huge and relies on large-scale automated attack technology, it will cause huge economic losses to FMCG companies, and thus has become one of the most concerned business security issues for companies.

In terms of data security, API attacks have become the number one risk of data leakage. Using APIs to crawl business data and user information in batches for illegal activities such as peer competition, data reselling, and business fraud, and resulting in sensitive data leakage, will not only cause irreparable losses to fast-moving consumer goods companies and their users, but also violate relevant laws and regulations such as my country's "Cybersecurity Law" and "Data Security Law".

Wu Jiangang, director of information technology at Ruishu, said that the current situation of API attacks against the fast-moving consumer goods industry is very severe, but fast-moving consumer goods companies are facing real pain points in API security protection: for large companies, traditional security products are no longer able to cope with new types of API attacks; and for small and medium-sized enterprises, due to limited IT investment, security protection technology is even weaker.

In Wu Jiangang's view, fast-moving consumer goods companies generally face three major challenges in API security:

First, API assets are unclear and the risk of data leakage is high.

Due to the large number of API calls, many companies do not know how many APIs they have, nor what state the APIs are in. A large number of API assets cannot be automatically detected, which makes the company's API assets and responsibilities unclear, thus becoming the main entry point for hacker attacks.

According to Gartner, API abuse will be the most common type of attack in 2022. Enterprises must clearly know which API assets they have in order to better protect data from being leaked.

Second, traditional security products have limitations and cannot effectively respond to API attacks.

In large-scale fast-moving consumer goods companies, a variety of security products such as traditional WAF, API gateway, and risk control are generally deployed. However, these products are not designed for API security. For example:

Traditional WAF technology mainly identifies known attacks based on rules and signatures, but each API has unique business logic and vulnerabilities. Therefore, traditional WAF lacks the architectural understanding required for the API context and cannot understand the unique logic. In many cases, it is unable to identify attacks against API-specific vulnerabilities.

Traditional API security gateways provide more protection in terms of identity authentication, permission control, request content verification and filtering, and API traffic rate limiting. However, these protection functions are highly related to application development. After the application is modified, the configuration of the API security gateway often needs to be modified, resulting in extremely high deployment and maintenance costs.

At the same time, traditional API gateways ensure that identity authentication is legal, but it does not mean that the access behavior is legal. Especially in To C business, facing hackers logging in with legal identities, simulating normal operations, and multi-source low-frequency API access requests, traditional API gateways cannot identify such seemingly "normal" user behaviors. Therefore, many companies have begun to pay attention to API security protection.

Most risk control systems are bypass warnings and are helpless against attacks. At the same time, risk control systems are mostly used by business departments. When the security department analyzes suspicious events, due to the lack of corresponding connections between the risk control platform and the security platform, there is often information asymmetry and inconsistent caliber, which makes it impossible to identify abnormal behavior. When business strategies change, the risk control platform strategy also needs to be updated at the code level. In the case of rapid business development, the operation burden of the risk control platform is too heavy.

Third, APIs face a variety of security attacks, which are difficult to effectively identify and protect in real time.

Common network attacks against APIs include: replay attacks, DDoS attacks, injection attacks, session cookie tampering, man-in-the-middle attacks, content tampering, parameter tampering, etc. These new security threats are becoming more complex, diversified, hidden, and automated. It is difficult for enterprises to effectively identify unknown threats against APIs, and they are unable to block and fuse various risks in real time and in a fine-grained manner.

Fast-moving consumer goods companies urgently need innovative API security solutions

Under the severe network security situation, every API may become an attack entry point. my country's "Data Security Law" also emphasizes the need to protect data during transmission, provision and disclosure. It is imperative to build an API security protection system.

In order to solve the various security risks and challenges faced by APIs and make up for the shortcomings of traditional security products, Ruishu Information has innovatively launched the API security management platform (API BotDefender) based on the "ADMP security model", which systematically ensures API security from the dimensions of API asset management, sensitive data management, access behavior management, API risk identification and management.

In terms of API asset management, Ruishu API BotDefender can continuously discover API interfaces and promptly discover unknown APIs and zombie APIs. At the same time, it automatically classifies and groups API interfaces and assigns responsible persons to achieve decentralized data management; it also extracts metadata of API interfaces and provides a visual display for API interfaces.

In terms of API attack protection, Ruishu API BotDefender can prevent access behaviors that bypass business logic, reject illegal API request parameter calls, reduce security configuration errors, and reduce the attack surface. At the same time, it supports API security attack detection and protection, and introduces semantic analysis technology to further improve detection accuracy.

In terms of API sensitive data management, Ruishu API BotDefender can automatically classify sensitive information, gain real-time insight into sensitive data, plaintext passwords, and weak passwords transmitted in both directions in the API interface, and perform desensitization processing in a timely manner to avoid data leakage risks and meet compliance audit requirements.

In terms of API access behavior control, Ruishu API BotDefender monitors API access behavior in real time based on multiple dimensions, and can promptly detect abnormal access behaviors that deviate from the baseline. At the same time, the built-in API business threat model can see through common API business threats and perform human-machine identification efficiently and accurately.

In terms of API access control, Ruishu API BotDefender has built-in flexible API access control strategies, which can implement refined access control on API interfaces, support multi-dimensional frequency limiting, interception, delay, etc., and achieve a balance between enterprise real-time security response and business development.

The FMCG industry has always been the hardest hit by bot automated attacks, with malicious competition, data leakage, business fraud and other incidents caused by crawlers and database collisions occurring frequently. As a professional manufacturer that started out in bot automated attack protection, Ruishu Information has provided leading automated attack protection products to many FMCG companies, and has so far protected trillions of customer assets and more than 500 million accounts, blocking 99% of automated attacks.

As bots automated attacks began to target APIs, Ruishu Information also took the lead in incorporating protection into all online business access channels, including Web, H5, APP, API, WeChat, mini-programs, etc., and integrated the data of each business access channel through unique identifiers such as user accounts and full access records to achieve hyper-converged protection of full-function application security. Enterprises can use Ruishu API BotDefender to protect APIs separately, or expand API protection functions based on Ruishu's next-generation WAF to achieve security protection for all channels.

API security governance of well-known fast-moving consumer goods companies

At present, Ruishu API BotDefender has been successfully applied in many fast-moving consumer goods companies, including many leading companies in the industry. Based on this, Wu Jiangang, Director of Information Technology at Ruishu, introduced two typical API security governance practices of fast-moving consumer goods companies.

Case 1: A well-known retail chain

A well-known retail chain has over 100 million global users, and its online applications have over 30 million daily active users. Based on the industry-leading IT construction, the company adopts the mainstream dynamic and static separation architecture. The core business is based on the API interface. In order to ensure business security, traditional API gateways, WAF, risk control and other security products have been deployed very early.

Although the company already has an API gateway, it is more of an authentication function, lacking discovery and control at the API security level. Traditional WAF is based on a rule library, which is a black box for the company. It can only see the interception effect, but cannot see through business threats or conduct security analysis from a business perspective. Risk control products lack linkage with the security platform and cannot help the company identify malicious behavior.

After adopting Ruishu API BotDefender, the company quickly discovered a batch of API assets that had not been counted and whose temporary interfaces had not been closed. It also discovered a large number of abnormal behaviors and the abnormal accounts and devices behind them, and implemented batch blocking.

According to the traceability of Ruishu API BotDefender, a user placed an order on the APP using a mobile phone number, and went to the store to pick up the order with the order receipt. The mobile phone number used to pick up the order was the same as the mobile phone number used to place the order. However, this mobile phone number has placed orders more than 50 times within 24 hours, which is obviously inconsistent with the normal user logic. At the same time, Ruishu API BotDefender found that there were as many as 230 devices involved in this abnormal behavior, and 80 devices used more than 5 accounts to place orders within 1 hour. A total of 1,540 mobile phone numbers were involved in the above behaviors. These abnormal behaviors that traditional security products cannot identify are clearly displayed on the Ruishu API BotDefender platform and can be intercepted in real time.

In addition to API asset management and API abnormal behavior control, Ruishu API BotDefender also provides the company with full-life cycle API security capabilities, which not only covers the attack defense of OWASP API Security Top10, but also can quickly respond to API business security attacks such as crawlers and database collisions through the API business threat model.

Case 2: Health and beauty retail chain

A well-known health and beauty retail chain has tens of millions of active members around the world. With such a huge business volume, the company has always regarded information security as the top priority in its IT construction. In order to protect the security of online business, the company has been using the Ruishu dynamic application protection system Botgate since 2017, which has effectively protected against a large number of robot attacks, wool-pulling, security attacks and other behaviors.

As more of the company's business transactions shifted from offline to online, digital marketing continued to deepen, and WeChat Mini Programs became one of its main online channels for business and marketing activities. The number of API interfaces increased rapidly, and the number of attacks launched through API interfaces also increased. Attackers attempted to unauthorizedly access member information through APIs and obtain user privacy information in batches, which made the company realize that it should quickly strengthen API protection.

In 2020, the company expanded the API BotDefender module on the basis of the original Ruishu dynamic application protection system to supplement API protection capabilities and achieved immediate results: First, the sensitive information in the API interface return message was desensitized to avoid the risk of data leakage; second, abnormal API access behavior was controlled, and abnormal devices and accounts were dealt with in real time; third, the frequency was limited based on the number of visits to a single API interface to prevent CC attacks from paralyzing the business; fourth, in response to the problem of black industries using false positioning software in regional marketing activities, effective human-machine identification and false positioning identification were carried out to prevent wool-pulling behavior.

Conclusion

In the wave of digitalization, FMCG companies must face an increasingly complex network security environment and continue to escalate their fight against the black industry. For FMCG companies that have long been omni-channel, API is an object of protection that needs urgent attention. As an innovative solution for API protection, Ruishu API BotDefender is based on Ruishu's unique "dynamic security + AI" core technology, which can establish complete API asset perception, discovery, monitoring, and management capabilities for FMCG companies, effectively protecting the business security and data security of enterprises.