For as long as developers have designed applications, there’s been an API involved in some form. What started as XML RFC, and facilitated SOAP, evolved into RESTful and GraphQL APIs. As application environments expanded and the volume of APIs multiplied over the years, hackers began using vulnerable or misconfigured APIs as a pathway to an organization’s infrastructure and critical data.
For many CISOs, gaining visibility into their API landscape and how the API is utilized is an organizational priority for 2023. To do so effectively requires embedding security of APIs into the development lifecycle. However, this is not always a seamless or efficient process.
Many API security offerings depend on other systems to provide logs. That entails direct integration with various modalities—such as API gateways, load balancers, or network aggregators—through either facilitation of log consumption or traffic mirroring. However, this design philosophy is problematic in practice, as figuring out where and how to integrate to get full visibility of all APIs—especially shadow APIs—is a challenge for organizations. That’s why an API security solution that can directly integrate at the choke point of all traffic is necessary to capture both application and API data.
If you’re looking for an API security provider this year, ask these three questions to ensure the solution can be deployed quickly and seamlessly with the ability to scale across heterogeneous environments to provide full visibility.
- Does the product require code changes? If code changes are required in a continuous integration and continuous delivery (CI/CD) lifecycle, it introduces complexity that could slow down development projects. Such code changes can lead to issues in production, as they may not scale across the application stack and give the security team the visibility needed to monitor enterprise API transactions.
- How is the product deployed? Effective API security controls can be implemented without any dependencies on DevOps. The goal is to achieve frictionless deployment that delivers automatic API discovery and classification so security controls can be applied to protect against anomalous activities. This approach provides developers visibility into their API landscape, as well as options for additional code analysis during CI/CD processes.
- Is protection delivered in real-time? There should be no dependencies to protect exposed APIs in real-time. Queuing jobs or offering near-real time protection through yet another integration with other edge solutions is simply inadequate because it does not scale. Therefore, when an API security partner suggests that their solution will reduce your mean time to remediation, ask for clarity. Protection should be provided in real-time, on par with your application protection framework.
Rethinking The Design Approach To Secure APIs
Achieving visibility into API endpoints through discovery and classification should follow the same design philosophy as your application security strategy. Begin with any internet-exposed APIs. This should be done by creating a seamless integration point at the edge of a network and application stack to provide sufficient protection from bad actors.
Next, expand your security strategy to include internal APIs. If you have a modern application stack that is built on a service-mesh, a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices, then the integration will be seamless. This integration can be set up through a proxy, such as Envoy in Kubernetes, which is built into the service-mesh.
Why is the integration strategy for API Security so complex, especially when APIs are part of the application delivery stack? The process usually involves integration with various layers of the network and different API gateways, which is a lot of effort to enable API discovery.
When developing an integration and operations strategy to secure your enterprise APIs, three things need to be done:
- Prioritize Internet exposed APIs: APIs that are exposed to the internet present the biggest attack surface for an enterprise. It’s imperative that a solution inspect traffic before it reaches an application, providing visibility and enforcing security rules in real-time. Proxy-based solutions simplify integration without creating downtime for an application. What’s more, if your data is already encrypted in transit, traffic mirroring will not provide visibility into API activities. It’s why a proxy-based approach is ideal. It avoids the need to mirror traffic, which can create additional risks by unknowingly exposing sensitive data.
- Integrate directly with the application stack: If you’re unable to deploy proxy-based solutions at the edge or if your use case extends into internal APIs, you can still use an integration strategy that is not dependent on disparate modalities. This approach doesn’t scale to provide visibility into the full landscape of all your APIs. Integrating through an API gateway is an example of this limitation. To monitor your APIs effectively, it should be possible to integrate at the service-mesh layer, or directly on legacy servers through microsensors. With a service-mesh you can leverage the built in proxy solution such as envoy to capture your API traffic efficiently without needing code to the underlying application.
- Think holistically: There’s a common misconception that a Web Application Firewall (WAF) isn’t necessary to secure APIs, even though the majority of API risks are inherently based on application vulnerabilities. Organizations should implement a holistic approach with an API security solution that is natively built on top of a WAF. This approach is the foundation of the Web Application and API Protection (WAAP) platform that protects critical applications and APIs in real-time without dependencies or reliance on external systems. A WAAP proxy-based approach allows you to mitigate risks to your most vulnerable APIs exposed to the internet by applying security controls in transit and in real-time. Meanwhile the addition of microsensors deployed within the application stack delivers a complete view of all APIs (internal and external). This eliminates the stress of attempting to integrate security through API gateways, which by design, do not provide visibility beyond the traffic that is explicitly sent through them. Consequently, API gateways cannot provide an aggregate view of all API behavior, which creates gaps in visibility. Therefore, think holistically about the application stack when developing your strategy for API protection.
While APIs are a necessary component of application development, they expose organizations to complex security risks that many have not prepared to address. Today, one in every 13 cyber incidents can be attributed to API insecurity, finds a study conducted by the Marsh McLennan Cyber Risk Analytics Center. Even more concerning, API insecurity results in annual losses of 41 – 75 billion USD globally. Because APIs are connected directly to the data layer, data exfiltration through a vulnerable API is a considerable risk that developers and security teams need to be worried about.
Many businesses will default to using an API gateway solution to try and protect their APIs, but this approach is far from a silver bullet for mitigating security risks. Gateways are great for delivery and access management, but lack the sophistication to stop sophisticated attacks.
When API security services are built into the application security framework, API endpoints can be rapidly protected through a unified application security solution. A WAAP platform can holistically provide that kind of protection from vulnerabilities in applications and APIs.
Securing APIs should not require yet another point-solution in your security stack. By investing in a unified approach that seamlessly integrates throughout the API lifecycle, you gain efficiency and become more effective at stopping sophisticated attacks targeting your APIs.
By Luke Barbinde, Principal Architect, Imperva