Sharing is caring: A path for security teams to exercise greater influence

As part of Imvision’s mission to help enterprises mature their secure API development culture, we’re pleased to present the first of a 3-part executive series focusing on how organizations can take charge of their API lifecycle. 

This topic has been broken down into 3 parts that cover the key aspects for security leaders looking to gain better control over their API security posture: Collaboration, Centralization, and Consistency. 

This article summarizes the first session on Collaboration, focusing on how security teams can enhance their influence by partnering and collaborating with Product and R&D teams. We were honored to host distinguished panelists including Sandy Carielli, Principal Analyst at Forrester, and Peter Gerdenitsch, Group CISO at Raiffeisen Bank International. 

The current state of application security

Malicious actors continue to use applications to breach organizations. According to a recent Forrester survey of organizations that were breached last year, software vulnerability exploits were the number #1 attack vector (35%), while web application exploits was the third most common attack vector (32%). Unsurprisingly, organizations have realized this is the case and are prioritizing application security over the next year, with the clear understanding that nowadays application security begins at the API level. 

Source: Forrester Analytics Business Technographics Security Survey, 2021

Until recently, application security revolved around the protection of large, monolithic systems that organizations knew how to control, knew who was responsible for them and knew what to do with them. While there were still challenges in securing these systems, at least organizations knew where they were and what they were dealing with. 

With the dawn of the API era, we’ve lost some of that control, as APIs are much more distributed than applications were. Sandy related that she’s met with numerous customers that have seemingly lost control of their systems. They couldn’t tell her how many APIs they had, where they were or even what data they transmitted. With the ever increasing prevalence of API usage in the modern enterprise, organizations are challenged to manage a highly dynamic environment while ensuring its security. 

With the huge value they provide, it’s clear that APIs will be a mainstay for years to come. This means that the solution isn’t to shut them down, but rather to increase an organization’s control and visibility over them. Organizations must understand the context, scale and spread of their APIs so that they can implement the right controls to secure them. 

API Security: Same same, but (very) different

APIs are becoming extremely attractive targets for attackers. From poorly designed access control, to an organization’s inability to manage its data, to sophisticated business logic abuses – there are plenty of ways to breach improperly secured APIs and get the underlying data. 

For example, both Peloton and Echelon offer amazing customer experiences through API video components that enable seamless customer interaction. However, both have experienced customer data breaches due to leaky APIs in their products. Clubhouse also reported the leak of a huge amount of customer data and records caused by the malicious scrapping of publicly available APIs. 

And they are not alone. According to Sandy, “not a week goes by where I don’t hear about some sort of API-related breach. That’s the context that we’re working in. That’s the threat that we’re seeing. All of these APIs that are going into various critical apps, customer facing apps, dealing in customer data, dealing in critical data, if we are not securing the APIs, this data is leaking.” 

What can be done? It’s all about better collaboration!

Security and development must work together to secure APIs. According to Forrester Analytics Business Technographics Developer Survey, 2021, 43% of organizations already have DevSecOPs, with another 22% want to but can’t because of limitations. This tells us that these dev organizations understand the importance of collaboration and want to streamline it and make it more efficient. 

Through a tight collaboration, organizations will be able to understand where their APIs are, who manages them and what data they transmit. The only way to achieve this is to make it easy for dev teams to meet their goals, to make sure that they can automate and integrate in a way that keeps their productivity sky high. 

A key question that developers ask about the tools that they work with on a daily basis is whether or not they will help them achieve their primary goal: time to market. Developers are measured by how quickly they can get a high-quality version of their product into their customers’ hands, and they prioritize those tools and processes that help speed up the development cycle – basically DevOps tools and practices. 

This is an opportunity for security professionals. If they can introduce security tools that fit snugly in the DevOps environment and mindset, then it’s possible to organically integrate security in the development process. And one of the best ways to do this is to implement security champions within the dev team.  

Security champions are basically regular dev team members who’ve been trained in basic application, or API, security principles. While their job is still focused on development, part of it now also includes representing security in the dev function. Security champions make sure that security questions are raised early in the development cycle and are fully aligned with the security team so that they can help them deal with complex issues as they come up. 

This approach not only strengthens cross-functional communication, it also spreads responsibility for security across the teams while improving the credibility of the security team throughout the organization.  

Best practices for creating a security champions program

Based on Forrester’s research, the most important first step for your security champions program is to secure executive buy-in. It might seem better to try it out first and see if it has value, but a better approach would be to sell it internally and get funding early on so that it can be considered a formal and official program over time – one that can be measured and improved. 

Another key step in the process is choosing your champions. Finding the right champions within the dev team is a challenging task, and Sandy has seen quite a few mistakes on that front. For example, a problematic approach would be to ask the dev team manager to find someone for you. They’d usually choose an individual who has just finished a project and has some time on their hands. It is then common for that individual to go through the training course without any interest or enthusiasm, and in most cases, the whole thing flops. 

Self-selection, or volunteering, has proven to be effective time and time again. Sandy recommends holding a few events with the entire dev team around security. In those events, the basics of security are discussed, including ethical hacking and demonstrations that show how APIs or applications can be breached. Usually, there are some individuals in those events who become highly engaged with these concepts and often ask to be more involved with the security process. Those are your security champions.

There’s no getting around the fact that APIs are incredibly important to the modern development process, so security must support dev even if that means some degree of control is lost. As we continue to shift left and implement security in the early stages of the development cycle, our ability to do just that increases. By bringing security concerns to the table in development, security champions help us bridge the gap between security and development.

*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: https://blog.imvision.ai/sharing-is-caring-a-path-for-security-teams-to-exercise-greater-influence