The only automated NLP-based API security platform that protects enterprise applications at scaleLearn More »
When looking at API security from the perspective of the individual developer, APIs are a window into the application, and if the application isn’t built with security in mind, there will eventually be a price to pay. According to Eoin Fleming, CISO at Leveris, There are three key activities that organizations can take with their individual developers to increase API security:
Align developer incentives towards greater security. Developers are incentivized to develop features and ship code, not to ensure that their code is secure. Organizations should change the way developers are incentivized to encompass secure code. Specifically, enhancing management visibility into the security efforts of developers, to make developers security champions. Gifts, prizes, prestige and involvement are all great incentives that will help developers focus more on security in their day-to-day work.
Implement advanced training methodologies that enable a true DevSecOps approach. By definition, most developers see themselves in terms of their specialization. Frontend, backend, full stack, Java, PLC, Kotlin - it really doesn’t matter; the fact is that they usually see security through the lens of their specialization instead of from a broader perspective. The OWASP API Top 10 is a great starting point to drive basic knowledge of security threats among developers. It enhances general awareness of best practices for securing applications against the more well-known vulnerabilities.
Advanced language-specific training can be provided to developers working in specific projects that require very high security codes, like authentication schemes in Java.
And you don’t have to train the entire team either. Providing high-level training to 20-30% of the team is usually sufficient for you to start seeing return on the investment. These early champions of security practices can act as mentors to the rest of the team, helping to cultivate stronger security practices within the dev team. For example, in pair programming you only have to train one of the pairs. In scaled agile environments, training should be provided to the cross-functional leads and maybe one or two team members.
When it comes to rolling out the training plan, you should start with the low-hanging fruit - those teams developing the high threat, high risk aspects of the application. Start with authentication, authorization, access control, data management and data discovery teams. Then move on to the testing teams, as the more they understand about the process the better it’ll be for the entire team.
Once you’ve got those teams trained, slowly get more and more teams onboard. Get ready for a lengthy process, it can take up to 4 years to onboard the entire development organization but note that you’ll become effective after around 30% of the team has undergone training.
Raise developer security awareness and capabilities up a notch. Getting developers to understand the importance of security is essential. Implementing privacy and security impact assessments into the requirements phase empowers secure/privacy/security by design thinking. During the design phase, look at the tools, models and approaches and help raise awareness toward optimizing security across those aspects.
The collaboration between dev and sec teams is highly important as a way to better secure applications. A truly collaborative team effort complements each other’s work. While developers focus on how machines work and how to code software, sec teams can complement by teaching devs how attackers think. The teams must work together to enable an optimal security posture.
One way to do that is by cultivating an attacker mindset among your dev team. Provide them with real hacker tools and turn them into a red team for security testing purposes. By looking at their code from an attacker perspective, dev teams will better understand how hackers detect and penetrate them, enabling them to better write more secure code during the initial development phases.