Not-so-fun fact: most enterprise security teams are constantly playing catch-up when it comes to API security.
Enterprises are tasked with managing thousands of APIs, but many of them are not routed through a proxy like an API gateway or web application firewall (WAF). This means most APIs are not properly monitored, are rarely audited, and therefore exceedingly vulnerable to attacks. Unfortunately, the problem will get worse: Gartner predicts that by 2025, less than 50% of enterprise APIs will be managed as explosive growth in APIs surpasses the capabilities of API management tools.
API security has become more critical than ever. Let’s examine some important reasons behind the proliferation of APIs, plus why so many of them are left unsecured.
Digital transformation has created a wealth of new opportunities, which entails an equally intense demand for new capabilities. Today, line-of-business initiatives are fueled by urgency and commercial objectives versus more traditional IT rollouts. Enterprises have succumbed to the pressure to act fast and seize market opportunities at the expense of potentially negative security outcomes. Developers can spin up new websites and applications at the drop of a hat, bypassing internal controls. In many instances, security teams don’t even have visibility into these projects and are unable to assess the risks until it’s too late.
Meanwhile, budgets have changed as enterprises shift from a centralized IT spend to line-of-business operational expense. Organizations are moving at the speed of light, but budgets haven’t evolved to reflect heightened security risk. Many businesses don’t even know how much budget they should allocate to security.
Additionally, applications are increasingly moved to public and private clouds. This moving of data and workloads creates more complexity, reduces control, and adds third parties into the mix. Enterprises need to put new security practices in place to mitigate these risk factors, but many don’t have the skills, experience, or resources to implement them effectively. Similarly, the move to microservices has caused a dramatic increase in the size of an organization’s attack surface. This environment has become more challenging to secure than monolithic applications because of its highly dynamic nature, coupled with the fact that legacy tools are designed for more static environments.
Finally, the rise of agile development practices means that timelines have shrunk because users and customers expect new features—fast. The adoption of DevOps means more frequent code changes that are outside of the security team’s control. New software gets into the hands of users faster than ever, but who’s managing the risk?
Simply put, security teams weren't prepared to handle all of these changes and their effects on security. Continuous delivery demands continuous security: many enterprises have turned to a continuous security paradigm to maintain security posture while continuing to innovate at a lightning-fast pace. Here are five steps for getting started:
- Foster a culture of continuous security.
Tackling API security isn’t an easy task, it requires leadership to foster a security culture throughout the organization, especially across the software development lifecycle (SDLC). Enterprises can work toward this by decentralizing their security team and ensuring that they take part in all digital rollouts. Organizations might also consider appointing designated “security champions” to continuously reinforce security best practices and hold teams accountable.
- Get a grasp on API security posture.
Most organizations grossly underestimate the vastness of their attack surface. They might assume that the number of APIs they have are equal to the number of applications they have. However, any given application can have many APIs within it, so an organization’s API footprint could be 10 times larger than they think. Enterprises can use an API discovery tool to get a clearer picture of their attack surface. From there, they can determine each API and its owner, and then allocate resources – whether that means more technology or more training – to improve security posture.
- Do remediation right.
If not done right, remediation becomes technically challenging and requires a great deal of time and effort. Thankfully, security teams can automate remediation to offload some of the work for humans. Initially, humans will need to approve new remediation actions before taking them, but once recurring issues have been identified, enterprises can leverage full automation to fast-track remediation and monitor for attacks.
- Consider a shift left approach.
A shift left approach to API security means testing APIs earlier in the development process than traditional models that test closer to the deployment phase. By integrating security and testing into every step of API development, developers can closely monitor security and uncover potential serious vulnerabilities throughout the SDLC. When taking this approach, management should clearly define its goals so that new tools and processes align with the team’s existing development and testing methodologies. Additionally, encourage security teams to adopt the primary interface of the dev team and adjust to the tools, workbenches, and language preferred by developers to keep tool use consistent.
- Keep on testing.
It’s essential to testing on the left side of the SDLC timeline, but “shift right” is equally as important. Organizations must also test in production environments to ensure real-world software stability and performance. They can do this by tracking API consumption and analyzing API traffic metadata. Real-time traffic analysis helps to identify new APIs and alerts organizations to any changes in existing APIs. The analysis process must identify issues in a timely fashion so the team can remediate them ASAP—delays in testing are a no-no, as they give hackers more time to potentially exploit vulnerabilities.
Businesses have to accept the API security threat as real, and it’s time for all organizations to start taking a more proactive approach. By implementing these strategies, enterprises have the best shot at keeping APIs secure without stifling innovation.
Oz Golan, co-founder and CEO, Noname Security
