Application security, DevSecOps

Four ways to effectively close API security gaps

Share
A visitor tries out a tablet next to a cloud computing symbol at the 2013 CeBIT technology trade fair on March 5, 2013, in Hanover, Germany. Today’s columnist, Josh Stella of Snyk, lays out five fundamentals of cloud security. (Photo by Sean Gallup/Getty Images)
A visitor tries out a tablet next to a cloud computing symbol at the 2013 CeBIT technology trade fair on March 5, 2013, in Hanover, Germany. Today’s columnist, Filip Verloy of Noname Security, says rapid cloud adoption has spurred increased use of APIs and security teams must be clear on who in the organization will be responsible for keeping them secure. (Photo by Sean Gallup/Getty Images)

As enterprises continue to drive innovation and embark on their digital transformation journeys, their dependency on APIs grows every day. Public cloud adoption and modern application architectures have also caused API usage to surge. However, despite the power and popularity of APIs, many organizations struggle with API security. Few have a dedicated process for evaluating API security and instead treat APIs the same as web applications.

The surge in API growth, both in numbers and volume of traffic, have left security teams struggling to efficiently observe and adequately address the gaps left by existing common controls. APIs are so critical to the business today that design errors and simple misconfigurations can put sensitive information and company reputations at risk. Here are four ways enterprises can close the API security gaps:

  • Implement a system for API management and identification.

Most enterprises simply don’t know how many APIs they have. It isn’t uncommon at many organizations that 30% of APIs are unknown or unmanaged. Not having a complete inventory of APIs poses a significant risk to organizations. Issues like misconfigurations, suspicious behavior, and cyberattacks can all occur unabated without the company’s knowledge. When organizations lack visibility into their APIs, they also lack insight into how many APIs are communicating sensitive information or how many are communicating with the open web.

To eliminate this gap, organizations need to automatically find and inventory all APIs, including legacy and rogue APIs, as well as catalog all the data and meta-data of the APIs. By getting a complete inventory of APIs, with data classification and configuration details, organizations can identify the misconfigurations and vulnerabilities that are susceptible to attackers. From there, they can start to map out where and how to effectively apply security efforts.

  • Establish ownership around API security.

With so many teams playing a role in the creation, consumption, and management of APIs, it’s no surprise that there’s confusion around which teams are responsible for API security. While most organizations have an API structure in place unique to their organizations and teams, these structures are often loosely defined and not well understood. To help identify, fix and mitigate API security vulnerabilities, the company needs a clear ownership structure of API security. This clear structure helps ensure vulnerabilities do not slip through the cracks and all teams are working together to eliminate API risk.

  • Take a proactive approach to API security.

Today, most organizations take a reactionary approach to API security with many leveraging web application firewall (WAFs) and API gateways to secure their web applications and manage their APIs and API assets. However, these tools alone are insufficient at achieving API security. What’s more, traditional security solutions only scan traffic and are looking for anomalous behavior, using static patterns matching without API specific context. To fully protect digital environments and data from all the risks associated with APIs, organizations should invest in modern API security solutions that identify API misconfigurations, and also leverage AI and ML-based models to intimately understand how APIs behave in real-time. Development teams should also work to shift left, testing on APIs to identify and fix misconfigurations and vulnerabilities. The team could manually manipulate the requests to the API, inserting fuzzing strings into requests, or automate it via an API security testing solution.

  • Select the right API solution.

With API security top-of-mind for most security organizations, a number of vendors have emerged offering the best and newest solution to address the risks associated with APIs. When selecting an API security solution, consider the following:

  • Deploys on-prem or SaaS: It’s important to select a product the company can deploy on-prem or within the cloud. This ensures data, including sensitive data, never leaves the environment, or as a SaaS, the security team can manage multiple clouds and instances from a single portal.
  • Easy API integration with clouds, WAFs, and gateways: The product should connect with existing infrastructure and enhance the security capabilities of other systems in the environment, not compete against them.
  • Avoids agents or sensors: Out-of-band architecture solutions provide deeper visibility and less operational friction than traditional options. Cloud-first and API-led environments often struggle with in-line solutions and agent-based architectures are a legacy way of thinking that introduce more complexity, performance, issues, and risk.

When it comes to securing APIs, a lack of visibility and ownership, and a reliance on legacy solutions prohibits enterprises from closing gaps. Understanding the unique challenges associated with API security and having the right strategies and solutions for addressing API security will help enterprises identify potential vulnerabilities and close security gaps.

Filip Verloy, technical evangelist, EMEA, Noname Security

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.