Your DevOps Process Needs to Integrate API Security

If your organization relies on the cloud, you also rely on APIs.

“Whatever the project of the day (application modernization, monolith to microservice digital transformation, multi-cloud service mesh enablement, to name a few), APIs have become the backbone of modern application architectures and the digital supply chains organizations rely on,” said Nick Rago, field CTO at Salt Security, in an email interview. “As a result, DevOps has become flooded with APIs flowing through the software development and deployment pipeline, forcing organizations to revisit and modernize their current DevOps models.”

But research from Techstrong Research found that nearly four in 10 organizations don’t plan to pursue an API security strategy in 2022, only one-fifth plan to look at it in 2023 and approximately a quarter of respondents said their API security maturity isn’t a priority.

Also, the Techstrong study found that less than half of respondents’ DevSecOps processes prioritized API security, even though APIs play a critical role in DevOps; together, they will improve an organization’s digital transformation and application development. But if security isn’t included in the process, if API security is ignored in DevOps, you would lack the insight needed to know where protection is needed and open the organization up to greater risk.

The Role of APIs in DevOps

“In DevOps, APIs help teams gain greater oversight, management, integration and exposure of application functionality,” according to an Akana blog post. They make it easier for the DevOps team to integrate applications by moving them from a decentralized DevOps process to a centralized managed layer.

A single vulnerable API, however, can create a wide-open attack vector for threat actors. Poor API security brings the organization’s entire security posture into greater scrutiny. By introducing stronger API security practices, it alerts the DevOps team to what resources and services are to be protected and where vulnerabilities may lie.

“The top priority for our customers and prospects is scaling API security across engineering and security teams through developer-enablement,” said Scott Gerlach, co-founder and CSO at StackHawk, via email. “Leading organizations are shifting developers to be first-line remediation for security issues. These organizations are rethinking their tooling, processes, and culture to enable developers to fix vulnerabilities as they check in code.”

Securing the API Life Cycle

API security requires a big-picture approach. Security should be embedded across the API’s entire life cycle, from development through retirement.

“DevSecOps leads to an inherent change in buying and tooling decisions across development teams, with engineering teams playing a more significant role in purchasing security software,” said Gerlach. “Baking security into the API life cycle requires tools that fit into the existing developer workflow, and are friendly for all users.”

To create embedded security, organizations should consider shifting budgets into development organizations and empowering them to create evaluation criteria, lead purchase decisions and sign purchase orders.

Integrating Into the DevOps Process

The paradox with API security is the need for the DevOps team to get the application out as quickly as possible while making sure they address API security vulnerabilities. For many organizations, the API security journey starts with securing a runtime safety net for what is already in production and exposed, Rago explained. “Knowing and inventorying what APIs are out there, the classification of data passed through them, their security posture and understanding contextually and behaviorally how they are used over time to detect nefarious API usage is critical.”

Rago recommended introducing API security-specific checks during the API life cycle as a way to best integrate API security into the DevOps process. The checks that should be introduced, according to Rago are:

• Planning: Adopting a spec-first development process (with OAS/Swagger) and the ability to validate that an API is designed properly and meets security guidelines and governance in the pipeline before a line of code is even written
• Testing: Introduction of deep contextual API security posture validation and testing into the testing phases to flush out application logic flows and many of the OWASP API Top 10 vulnerabilities that cannot be flushed out with traditional security scans methodologies
• Deployment: Continuous API discovery to ensure proper inventorying of the API, its structure, classification of data it handles and ensure ongoing compliance with documented API specification (drift management)
• Monitoring: Leverage a cloud-scale contextual runtime protection technology to detect and prevent nefarious API usage and zero-day attacks, while providing proactive security testing and constant feedback back into the life cycle

When API security checks are built into the process and automated to run on every pull request, developers are better able to fix vulnerabilities before production—like they would any other failed software test. Once the development teams are involved in the security evaluation early on, it will ensure improved API security in your organization’s DevOps process.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba