SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Distil Debuts Bot Defense for API

July 14, 2017

Bot Defense for API is a new solution that prevents bots from accessing the API servers that power public-facing websites and mobile applications. Distil now protects these API servers by determining whether a human is using a verified browser or mobile device to gain access. Distil goes beyond competing web-only solutions by providing the only comprehensive bot defense platform to protect websites, mobile apps and API servers from advanced persistent bots.

Bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, unauthorized vulnerability scans, spam, digital ad fraud and downtime. Bots vary in volume and sophistication, but all place an increasing burden on IT security and web infrastructure teams and wreak havoc across online operations big and small.

"While usage of APIs to drive web and mobile apps is exploding, the security of those APIs remains a grave concern, with 21% of APIs going live without any input from security professionals," said Rami Essaid, CEO and co-founder of Distil Networks. "Distil believes that the benefits of APIs shouldn't come at the expense of security, which is why we have released Bot Defense for Web API and Mobile Apps. Now, the API server that powers your website or mobile app is also protected against advanced persistent bots."

Key Capabilities of Bot Defense for Web API

The new solution extends Distil's Bot Defense Platform to protect web APIs.

•Hi-Def Fingerprint - Identification based on 200+ unique markers present in OS and browser (plugins, screen, interface, fonts, WebGL, audio, video, etc.)

•Known Violator Database - Checks against Distil's known violator reputation list

•Client-side Interrogation - Validates that the browser is what it claims to be (e.g. has the correct JavaScript engine, is formatted correctly and all components perform as they should)

•Browser-Not-Present Detection - Blocks API requests based upon the absence of the Distil Hi-def fingerprint

•Domain-specific and Global Machine Learning Models - Pinpoints behavioral anomalies specific to a site's unique patterns, as well as bad bot behavior across all Distil-protected sites

•Device-based Rate Limiting - Goes beyond IP-based rate limiting to detect when a device sends too many API requests across multiple usage vectors

Key Capabilities of Bot Defense for Mobile App APIs

•Mobile SDK - Places bot mitigation directly into the mobile app

•Mobile Token Management - Continuously verifies a mobile token is present and unaltered

• Emulation Detection - Prevents API access from mobile device emulators that mimic human users

•Automation Detection - Prevents API access from external testing systems that mimic human users on mobile devices

•Reverse Engineering Detection - Prevents debugging software from tampering with the SDK

•Device-based Rate Limiting - Rate limiting that goes beyond IPs and detects device utilization

According to Gartner's November, 2016 report titled 'Securing Mobile App Back Ends', "A common challenge with mobile apps is how to securely integrate them with back-end systems, which means securely exposing APIs. A typical failure sees developers write APIs that can be either intercepted or reverse-engineered by downloading the public app from an app store. Once the attackers deduce how the app uses the API, they attempt to directly access the API and potentially harvest API keys or other credentials from the app. "

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement