This article was originally published on Cyber Protection Magazine
To ensure the seamless experience today’s customers expect, modern enterprises have become proficient API machines to create the seamless experience customers expect. APIs help businesses innovate faster, break into new markets, stay ahead of the competition, grow, and monetize their assets. 80% of enterprises already publishing public APIs, offering diverse functionalities to clients and partners alike.
But like all good things, the API world is not a bed of roses. While the gains might outweigh the costs, there are certainly risks and costs. APIs are increasingly becoming critical business enablers, but at the same time introduce a growing complexity for enterprises. If they’re not properly secured, your APIs may be allowing unwanted access to the data and functionality they expose.
APIs are supposed to expose functionality and data, which is exactly what hackers want: data. Hence, APIs are subject to highly targeted attacks. Traditional application security solutions are ineffective against API abuse, making it more difficult for security leaders to understand exposure and manage risk.
What can companies do to close this gap and secure their APIs, as well as the rest of their digital assets?
Simple to use, complex to secure
API adoption is uncontrolled, widespread, and leaves many enterprise security teams facing a slew of APIs from various teams, uses, and platforms. Every new API increases the complexity of the application stack.
APIs are more than just data connectors. They shift the application’s functionality, moving much of the business logic from the backend to the frontend. Sophisticated attackers exploit business logic vulnerabilities as they learn the functionalities. Legacy application security solutions aren’t ready for this complexity.
Enterprise security leaders face three main challenges:
- Knowing what you have and why it exists – One rogue API or flawed function can result in API abuse and data breach. As development teams work on APIs over different platforms, it is much harder to maintain a full inventory of your endpoints. Complete API visibility also requires knowing which APIs expose sensitive data and understanding how APIs interact and how they are consumed.
- Controlling vulnerabilities and aligning security priorities – An enterprise API layer can have hundreds and thousands of known vulnerabilities simultaneously. Detecting, managing and prioritizing vulnerabilities across platforms, and generating clear requirements for remediation, are significant challenges for security teams who need to collaborate closely with developers to mitigate risk.
- Detection coverage gap around business logic vulnerabilities – Traditional tools analyze traffic metadata to find known threats, but with API threats are often caused by authorized users making legitimate calls that attempt to manipulate the logic. Finding such functional attacks can be nearly impossible as it mimics regular behavior, requiring deep monitoring capabilities.
There’s a challenge of responsibility
With these factors acting together, it becomes more difficult to see and control everything, work effectively with developers, stay on top of changes, and maintain a robust security posture. But perhaps the most important first step is that of ownership over API security.
Most enterprises today handle API security with centralized integration teams. As these teams commonly operate the API Management platform, it stands to reason that API security rests on their shoulders.
However, research shows that security leaders believe that they should be in charge of API security, alongside the API team.
This suggests collaboration is the best way forward: On the one hand, the experience from traditional areas of security (e.g. network and application) can be leveraged in an API security program; on the other, the nature of APIs presents unique challenges best understood by the API team.
With the rapid pace of development and the growing attack surface, application security in the API-first era requires a different approach. Security teams need to find new strategies to collaborate more effectively with developers, see and control everything in one place, and maintain a consistent security posture over time:
Collaboration – Aligning your security, development, and operations teams, helping security wield greater influence by speaking the developer’s language.
Centralization – Prioritizing and managing risks effectively depends on knowing exactly what you have and where your vulnerabilities lie.
Consistency – Automating for speed and accuracy at scale to eliminate bottlenecks, making sure every team has what they need to keep up.
To achieve greater collaboration, centralization and consistency, API security can’t be viewed in isolation. Protecting APIs during runtime isn’t enough, and testing APIs during design isn’t enough. Each would give a fragmented perspective that risks both high false positives and false negatives, and most importantly – won’t enable security and development teams to be on the same page and share the responsibility.
By embedding dedicated security controls across the different stages of the API lifecycle, enterprise security teams can take charge of their API security, and cultivate a secure API development culture. In turn, this approach would create a partnership over the responsibility between security and development, elevating security from a bottleneck to a key business enabler.
*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: https://blog.imvision.ai/taking-charge-of-the-api-security-lifecycle