API Security Requires Everyone’s Support
If you leave cybersecurity responsibilities only to the security team, your organization is setting itself up for a major cybersecurity incident. Security teams are already battling conditions that leave them ripe for burnout. But when non-security staff isn’t held responsible for keeping up with even the most minor security steps, it opens the door for threat actors to waltz through. And that is especially evident when it comes to API security.
“[A]s software applications grow in complexity, so does the surface area for security vulnerabilities,” Randy Gibson wrote in a Security Boulevard article last year. Security teams are already spread thin, and they can’t keep track of a threat landscape that covers hundreds of devices and a remote workforce without missing something.”
It’s time to bring in reinforcements, and that means bringing non-security staff on board as advocates for API security.
Why API Security Matters
The internet today is API oriented, explained Daniel Garcia, an API security researcher with 42Crunch and a panelist at RSA, but too many organizations simply don’t know how many APIs they have deployed. It’s also very difficult to audit and perform security testing for APIs but, at the same time, traditional security tools aren’t designed to address the unique needs of proper API security. Because DevOps teams are focused on getting applications out the door as quickly as possible, security continues to be an afterthought.
An organization’s kneejerk reaction might be to make sure those building APIs are security trained, but that’s not a fair—or, really, an achievable—expectation. They are hired as developers, not security experts, so it is necessary for IT and security teams to create a baseline of knowledge. After that, it is up to the security team to build a partnership with non-security employees so each side is working to their strengths without putting productivity—or the organization—at risk.
Advocacy from the Security Team
DevOps teams are busy. So are C-suite executives—and so is everybody else, for that matter. They don’t have time to pay attention to security—or at least they won’t if no one is advocating for building security into their processes and regular duties. It’s not easy to convince them about the importance of security, but it can be done, said Tanya Janca, CEO and founder of We Hack Purple, and an RSA speaker. This advocacy requires showing empathy for their deadlines and the stack of work piling up on their desks.
If you show an interest in and empathy toward them, Janca said, they’ll be more willing to listen to the security side. Offering to work together as a team, showing workers how to find vulnerabilities or how to point out malicious code that could make its way into an application goes a long way toward improving API security. Just like the adage “you can’t fix what you can’t see,” you also can’t fix a problem you don’t know exists. Security isn’t the focus of those building applications; someone needs to patiently show them the ropes. Once they see themselves as partners in API security, they will become better advocates for the security team.
Janca also recommended building relationships across departments. Security team members have their own singular roles and can’t do everything. But if there is a point person on each project or in each department, someone who can be taught some basics like how to check for bugs or use the tools, it goes a long way toward decreasing security risks before the application goes live.
Convincing Non-Security Teams Why Security Matters
People within the same organization are supposed to be on the same corporate team. But when your job is to focus on security, it sometimes seems like you and your co-workers are in competition—unless the incentive model is the same on both sides, said Rick Ramgattie, principal application security engineer at Geminit Trust Company, and RSA panelist. If this happens, it means you’re on competing teams and you can’t get things done if other team members see your role as a waste of time, he said.
It comes down to education and recurring training to bring non-security employees on as teammates rather than competitors.
“If you are trying to do AppSec and you’re not trying to advocate for a positive security culture,” said Janca, “It’s really hard to get AppSec done well.”
