API Security in the fast lane
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Today, an important measure for success in the tech sector is time to market. The speed at which you can launch your product and any new features can make a huge difference in meeting growing customer expectations, breaking new ground in an existing market, and standing out against your competitors.
For many organizations, this speed to market is accelerated by employing APIs that rapidly share critical data between systems, enable business operations and reduce the need to reinvent the wheel. As such, APIs have become a strategic technology for businesses that want to keep moving forward, and quickly. In fact, according to research from Salt Security, “26% of businesses use at least twice as many APIs now as a year ago.”
However, APIs can quickly lose their strategic value if they’re not protected properly. This is because today’s APIs expose more sensitive data than ever before, making them a highly valuable target for attack. Businesses that want to leverage the speed that comes from using APIs need to also invest the time and effort required to minimize the security risk they pose. Here’s a look into how.
What makes API security different?
So, what is API security? The Open Web Application Security Project (OWASP) defines it as strategies and solutions focused on mitigating the unique vulnerabilities and security risks of APIs. Sounds easy enough, right?
The thing to remember is that API security differs from other security initiatives. With so many different APIs emerging on the scene every day, each with its own set of logic paths, it’s almost impossible to have a ubiquitous approach to securing every one. Plus, most of the security tools that companies tend to have in place — from web application firewalls and API gateways to identity and access management (IAM) tools — weren’t designed to prevent attacks on APIs.
This is because APIs offer unique security challenges:
- The landscape is always changing and staying up to date with new and changing APIs is an insurmountable task.
- APIs are often subject to low-and-slow attacks that differ from traditional one-and-done mechanisms in that attackers spend time to evaluate the API and identify business logic gaps they can take advantage of.
- Common DevOps security tactics like “shifting left” don’t really apply to API security as they can’t uncover all the vulnerabilities rooted in API business logic gaps.
In addition to that, APIs can be exploited through a number of threat vectors (10, according to OWASP) that could expose sensitive information. These include potential issues around authorization, authentication, data management, misconfigurations, monitoring, and more.
What does this mean for businesses focused on growth?
For organizations prioritizing rapid growth, there are ways to incorporate API security without severely compromising on speed and efficiency.
For starters, businesses should avoid leaving security as an afterthought. Force-fitting security functions into your API strategy after the fact can all but guarantee that you’ll slow down your launch and leave more vulnerabilities exposed than you address.
That said, take your time to determine what proactive API security looks like for you. We referenced shift-left tactics above. This approach is one that has been at the center of many DevSecOps discussions, encouraging developers to build security into every part of the product development cycle. And while that’s a sound strategy, it’s important to note that a) it takes time to build out a robust DevOps model and b) API security can’t just happen at the development stage. As such, it might be worth investing in an API security platform that can help cover as much of your bases as possible.
Choose the right leaders
Whether you’re a small and agile team launching its first product, or a large organization releasing features every quarter, you need to have someone (or multiple someones) responsible for API security.
Yes, everyone on your team should contribute to making API security a priority but having someone who’s directly accountable can help the functionality feel like less of a burden and more of a key component for any project. Find the people that are knowledgeable in this area (they won’t just be in your dev team), choose one or more API leaders that can drive cross-functional collaboration across all groups, and give them the time and space to stay up to date on best practices.
Implement best practices
For any business prioritizing growth, speed is important — and enabling that speed comes down to establishing a strong foundation of best practices.
At a high level, the constant change of APIs requires a continuous feedback loop between engineering and security to keep teams in sync and enable continuous security improvement. Security teams need to have an accurate understanding of the attack surface, and developers must be able to eliminate gaps identified at runtime to ensure that attackers cannot exploit these potential vulnerabilities in the future. Meanwhile, runtime insights should also provide valuable feedback to developers to aid in the remediation of these vulnerabilities.
This continuous improvement doesn’t require a full DevSecOps program, but it does require strong collaboration between security and engineering teams, as well as leveraging security tools that can easily integrate with existing workflows.
Here are some of the best practices that can help improve an API security posture and facilitate rapid (and secure) growth.
On the development and testing side:
- Promote secure API design and development, and encourage secure coding and configuration practices for building and integration APIs
- Reduce exposure of sensitive data
- Conduct design reviews that include business logic
- Document your APIs to facilitate design reviews, security testing, and protection
- Maintain an accurate API inventory so that security teams can get a realistic view of the attack surface
- Do security testing on a regular basis
And for production:
- Turn on logging and monitoring, and use telemetry data as a baseline for normal behavior to identify outlier events
- Mediate your APIs with tools like API gateways to improve visibility and security
- Create a plan for identifying changes to an API — automated platforms can compare documentation against runtime behavior to identify these gaps
- Choose the right network security tools
- Continuously authenticate and authorize access
- Deploy runtime protection
API security and growth, no longer at odds
Moving quickly as a business should never mean having to compromise on your security posture. By incorporating API security into your overarching strategy, you can set a strong foundation that allows your business to stand out in the market with a product that’s equal parts effective and secure.