The only automated NLP-based API security platform that protects enterprise applications at scaleLearn More »
We can look at APIs as standardized, reusable capabilities. Developers can relatively easily use a set of different APIs to build a mix-and-match, customized unique product that integrates different services from the brand and its partners. APIs are a sort of contract between the brand and the consumer regarding a specific capability.
This powerful combination -- an easily implemented, standard reusable capability -- is at the core of API popularity. The modern, connected automobile is a great example: Connected vehicles are “API-consuming machines” that leverage APIs in everything from charging infrastructure, infotainment systems, diagnostics, Bluetooth, and more. The vehicle has become an interconnected hub of APIs, a centralized product that incorporates a myriad of different software services delivered via API.
And, unsurprisingly, hackers are all too aware of this.
Cybercrime is a $600B business with 75% of attacks targeting APIs. Why APIs? Because that’s where the data is coming from and attackers follow the data. APIs transfer valuable data about consumers including financial, private, and identifiable information. Attackers are very aware of the profits awaiting them upon a successful API breach that enables access to this data. That’s why API protection is becoming such a big deal.
Most large-scale enterprises boast workforces that reach into the tens of thousands with dozens and even hundreds of development teams working on different projects. These employees are usually distributed around the world, across different regional offices. But no matter how large they are, or how much technology they have in place when it comes to security, enterprises must act in unison and strictly apply organizational procedures regarding cybersecurity. The challenge is ensuring that communication concerning security practices is aligned across the enterprise, ensuring that everyone embraces best practices that keep the enterprise safe.
Ford, for example, has “guardrails” put in place that protect the company, ensuring that no one flies off the road. However, these guardrails are a last resort; proper use of “street signs” and “lane markers” can keep employees from hitting the guardrails. This is why proper security tools put in place and security standards well-communicated are essential to ensuring that enterprises never need to use the guardrails.
This approach also proves helpful when facing another challenge: going “off the road” to drive innovation, and so security practices must allow for it. Compensating controls and deviation processes are two ways to enable policy exceptions that help spur innovation. Going off the road in the name of innovation can be very messy, but is necessary for the health and survival of the enterprise.
Cybersecurity isn’t actually about security, but rather about generating a feeling of shared responsibility that incorporates people, processes, and technology working together to minimize business risks.
Intentional API design refers to the process of building APIs into the product in a way that delivers a reusable capability that can easily be consumed while ensuring that no additional information that isn’t relevant to the capability is exposed. This is a deep process and mindset shift that ultimately delivers greater consistency, control, and visibility.
At Ford, they’ve adopted the API contract as a single source of truth. The API contract is treated as a deal between the brand and the consumer that details the service of the API and commits the brand to ensure it is simple to use and secure. Defining these contracts is critical, as an ill-defined contract can easily result in data breaches. Moreover, well-defined contracts can deliver huge benefits in terms of automated testing.
At Imvision, we use the contract as a shared standard between the consumer, APIs, development, and cybersecurity teams. We check to see that the API meets the conditions laid out in the contract, both in terms of the service provided to the consumer and the security standards implemented.
Creating a seamlessly automated API ecosystem that simplifies security-driven development is critical to transitioning to a security approach suitable for the API-first era.
API automation drives a better understanding of the API inventory. This enables enterprises to find defects earlier before APIs are published. Using the API contract, enterprises can promote a shift left policy that mandates greater cybersecurity focus during the development phase. Enterprises use static analysis based on the API contract to ensure that the API was developed according to expected best practices before it’s published.
Even if development and testing are done according to best practices, some vulnerabilities always get through. Shield right enables enterprises to respond and react quickly to any attempt to breach them.
Enterprises must adopt both a shift left and shield right cybersecurity posture to secure their APIs.
You can also take advantage of your cybersecurity community. Coordinated vulnerability disclosure and bounty bug programs are two great ways to do just that. These steps galvanize the security researchers that make up your community to put their combined experience at your disposal.