Sanjay Nagaraj
In today’s world, application programming interfaces (APIs) — the connective communication tissue between applications — are everywhere. Everyday consumer electronics, from cars to TVs, are busy talking to servers and to each other, enabled through APIs. Mission-critical enterprise applications have moved to the cloud, built on microservices architectures that communicate through APIs in order to work together in tandem, delivering critical services to users. Today’s digital economy is built on a foundation of APIs that enable critical communications, making it possible to deliver a richer set of services faster to users.
Unfortunately, today’s security solutions focus on an outmoded way of thinking. Most current organizations deploy security solutions and practices that revolve around network security, intrusion detection and mitigating application vulnerabilities.
However, for modern API-driven applications that have become the de-facto deployment model for applications that operate in the cloud, these traditional security practices simply do not scale to meet the challenges of today’s organizations.
Due to the incredible complexity of APIs, as well as the breadth and depth of their deployment across organizations, security and IT teams need to tackle this problem in a structured process that takes into account API application security best practices and procedures that constantly evaluate an organization’s APIs, the level of their security posture and their ability to automate remediated security actions when they are attacked.
The following are some of the best practices that organizations can take in order to ensure their APIs are protected and secure — enabling them to ensure that their APIs continue to operate as a mission-critical business driver that’s unobstructed from malicious misuse.
Stakeholders: Identify key stakeholders that have a vested interest in the organization’s APIs.
One of the most critical processes in protecting an organization’s APIs is to identify individual stakeholders within the organizations that are responsible for deploying and securing APIs. Often, the driver for deploying an API is a business one, the monetization of an API.
In many cases, an API has been developed internally, and there has been a realization that these APIs — if published — can provide a way to generate revenue or enable a third-party business partnership. In the agile development environment, what often escapes this process is making the official security and IT teams aware of this process. If repeated many times, it can lead to multiple APIs that are published and exposed without any proper security protections, endangering the entire organization to a sensitive data breach.
Assessment: Perform a constant assessment of the state of the organization’s APIs.
In order to start the process of securing an organization’s APIs, the security and development teams need to sit down and assess the scope and state of the application’s APIs and their ongoing risk-posture. API-driven applications are developed in rapid CI/CD pipelines, often without security as a key release consideration. Complicating matters, modern applications software is often composed of stitching together open-source software (OSS), third-party APIs and in-house developed code, increasing the complexity of managing and remediating vulnerabilities as application code is pushed into production.
As a result, development teams need to identify and assess at each stage of the software development life cycle (SDLC) pipeline the number and state of vulnerabilities that are present. Shift-left programs that identify and surface critical vulnerabilities, pinpoint sensitive data exposure and highlight sudden risk-posture changes can lay the groundwork for development teams to remediate these issues in pre-production long before they become critical security issues in runtime, helping to reduce the attack exposure.
Policy: Establish security policies that align with corporate interests.
Security and IT teams need to establish foundational API security policies that align with the overall corporate security policies. Depending on the vertical, these corporate security policies will change depending on the overall business drivers, compliance mandates and size of the organization.
In a modern organization, security needs to move at the speed of the business, aligning itself with the management team’s long-term goals of competing in the marketplace. If corporate security policies are too restrictive or impair the ability to deliver features that can drive revenue, it can serve as an impediment to corporate goals. Putting corporate security goals on paper is a good way to ensure that the entire organization understands the plan to align corporate security with the needs of the business.
Automate: Automate to scale the organization’s response to external cyber threats.
Due to a lack of qualified security professionals, the size of the organization and the scope of external cyberthreats that target organizations, organizations need to operationalize their internal processes, tools and procedures to provide an integrated end-to-end threat protection system. These systems should be able to inventory all assets, understand how they change over time and enable threat protection that can understand these changes and adapt to new emerging threats as they come. Most importantly, they need to establish predetermined playbooks to automate the response to cyberattacks as they unfold. In order to implement scalable cybersecurity protection, the response by security teams can’t be done ad-hoc; figuring out how to respond from scratch doesn’t scale.
Conclusion
In order to get started, organizations need to get their key stakeholders together and create an action plan that encompasses the key requirements that incorporate both security and business drivers for their organization. The stakeholders should be from key departments such as security, development and operations who will all have inputs on how to craft the proper plan to protect the organization’s APIs. Getting buy-in early on from each group can help facilitate the implementation of an API security plan, ensuring that groups will not object when they first become aware of API security plans. Documenting requirements can ensure that everyone in the organization has a reference point in a single unified document that enables them to coordinate cross-functionally as an API security plan is rolled out.
Sanjay Nagaraj is Co-Founder and CTO of API security company Traceable. This blog was originally posted on Forbes.com on Jan. 7, 2022.
