Google Cloud announced the preview of new API security capabilities built on its API management platform Apigee, which includes two key functionalities — identifying API misconfigurations and detecting bots.

Advanced API Security is “a comprehensive set of API security capabilities built on top of Apigee,” explained Frank Weigel, VP of Google Cloud business application platforms. “We built it to address the growing API security concerns, and it enables organizations to more easily detect and mitigate security threats.”

Google Acquired Apigee in 2016, integrating the startup’s ​​cloud-based API creation and management platform into a service available for Google Cloud Platform customers.

As API usage and traffic volumes continue to increase, “API security challenges have emerged as a top concern for most software engineering leaders,” Weigel noted.

One of the leading reasons for those API security incidents is misconfigured APIs, Vikas Anand, head of product for Google Cloud business application platforms, pointed out.

“Having too many APIs and interfaces to govern is actually the number one cause of misconfiguration that can lead to a leak,” Weigel added.

However, the configuration management process and manually safeguarding API is time-consuming and requires considerable resources.

“This is where Advanced API Security comes in,” Anand said. It can help API teams more easily identify API proxies that do not conform to security standards.

The Advanced API Security platform continuously assesses and analyzes all managed APIs to find those misconfigured or ones experiencing that might lead to vulnerabilities. Then, it will provide API teams with recommended actions on how to improve the security posture when configuration issues are detected, he added.

Plus, Google Cloud’s API security team plans to add a landing page for those recommendations, according to Shelly Hershkovitz, product manager for Apigee API security at Google Cloud. 

Google Cloud also added bot detection to the Apigee platform. 

With “the increased volume of API traffic, bot attacks are up and the stakes are higher and higher for businesses,” Anand said. But, “most organizations are not well prepared to fend off these threats.”

That’s why Google Cloud’s Advanced API Security is designed to provide API teams an easier way to identify malicious bots within API traffic, he added. It uses pre-configured rules that each represents a different type of unusual traffic from a single IP address. If an API traffic pattern meets any of the rules, the platform will report it as a bot.

“Furthermore, Advanced API Security speeds up the process of identifying data breaches as well,” Anand said. It can identify bots that successfully resulted in the HTTP 200 OK success status response code.

Given malicious actors are increasingly targeting high-value industries, Weigel and Anand noted there is a great need to secure APIs in the health care and finance sectors.

For health care organizations, sensitive personal health care data needs to be transmitted. “Within Advanced API security, health care organizations can easily detect API misconfiguration issues and reduce the security risk of sensitive information,” Anand said, adding that it makes it easier to detect those required authentication and authorization policies that have not been applied to the APIs.

Financial services APIs are frequently the target of malicious bot attacks. Advanced API Security is designed to analyze traffic patterns and identify the sources of malicious traffic to reduce future threat risks, Anand explained.

It also can help the bank’s API team to review and stop the malicious bot activities in API traffic, the vendor claims. 

“Four out of the top five U.S. banks ranked by the Federal Reserve are already using Apigee,” Anand touted. “So Apigee is not only the leader in API management but it is also an essential part of application development and modernization at Google Cloud, which now brings in this capability of Advanced API Security. ”