SBN

API Security: Teamwork makes the dreamwork

This is the third and final article in a series that looks at application security in the API-first era. These articles summarize a 3-part webinar focusing on the adjustments that leading global executives are making to their organizations’ security posture in response to changes brought about by the API-first era.

The first session looked at how security leaders are integrating the broader business perspective of the organization within their security posture. The second dug into the security standards being adopted to secure organizational APIs and how organizations are gaining greater visibility and control by restructuring their application security programs. 

This third and final article summarizes discussions surrounding the challenges confronted by today’s application security leaders. It examines the steps they can take to ensure that their organizations adopt secure API development practices, and how they can become more relevant by doing so. 

AppSec and API security: same same, but different

During the past decade, the use of APIs within development has steadily increased. According to Moshe Zioni, Director of Threat Research for Akamai, we see a 1:8 ratio of API to normal HTTP attacks, disproportionate to the population of APIs. As the use of APIs increases, so do attacks against them. 

In the past year, 60% of security leaders reported they’ve slowed down deployment to production (or considered to do so) due to API security concerns.

Credentials abuse attempts image

Source: Akamai’s State of the Internet report for 2020

This raises the issue of inventory control: While many IT specialists may think that they have an accurate mapping of the APIs used in their organization, our experience shows that more often than not, this isn’t the case. APIs are so prevalent within third-party packages, libraries, and testing processes that they often go unnoticed by IT. This poses a serious problem for enforcing security over those APIs: you can’t secure assets you don’t know you have. 

A second issue is that of functionality. By definition, APIs are intended to expose a functionality, enabling first or third party access to data and functionality. This creates a level of complexity that is more prone to vulnerabilities, especially as developer education towards API security is less common than general Web Application security.

These issues — discoverability and functionality — make APIs especially attractive to attackers, challenging them to detect APIs before defenders do and to devise creative ways to access the data that lies behind them. It’s even more troubling when you think about how the sophistication of API attackers has evolved. 

While only a few people knew how to attack APIs 5, 10, or even 15 years ago, today it’s common practice in pen-testing, reflecting the adaptations cyber defenders are making in order to deal with API attacks. Hackers’ shared knowledge of API attack vectors is growing by the day, giving them an advantage over defenders in this specific war game. 

Complexity is here to stay and you need to manage it

APIs are creating a highly complex environment that challenges organizations to identify all of their endpoints. Many enterprises have to deal with hundreds and even thousands of internal and external APIs impacting their applications. With so many teams working independently from each other, the only way to manage it all is to introduce automation. 

According to Laura Heritage, VP Product for API, Microservices, and Mesh Governance at  Axway, attacks may come from different directions, as many enterprises use complex API hierarchies: There are system APIs, process APIs, experience APIs and multiple gateways that require protection and enforcement. 

This complexity challenge will only grow as APIs continue to proliferate. According to Laura, the average organization having over 650 unmanaged APIs, ways to automate their detection and protection must be leveraged. The average enterprise currently uses three API management platforms and gateways, making it hard for security professionals to gain a full understanding of which endpoints might be vulnerable. 

Organizations need to bring all of the disparate APIs used within an organization into a centralized interface that enables the identification of possible attack vectors. The only way forward is to adopt automated solutions that embrace this complexity in a way that supports fast, secure scaling. 

 

*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: https://blog.imvision.ai/api-security-teamwork-makes-the-dreamwork