About Imvision

The only automated NLP-based API security platform that protects enterprise applications at scale

Learn More »

This article is the second in a three part series focused on application security in the API-first era. The articles summarize a 3-part executive series in which leading global security and technology executives discussed how their organizations are adjusting their security practices for the API-first era. 

The first article in the series highlighted the business perspective and the importance of integrating the broader business context within the security strategy. This article moves on to the organizational perspective, focusing on best practices for introducing new application security standards to secure APIs. It also discusses how appsec programs should be restructured to enable greater visibility and control.  

The article is based on the valuable insights shared by Darren Shelcusky, Manager Vehicle and Mobility Cybersecurity at Ford. However, the lessons learned go way beyond the automotive industry; with reality being that today, every company is a technology company, the lessons you read here can be applied to enterprises in almost every vertical in the global market. 

Modern enterprises face significant challenges when it comes to establishing new organizational processes, in light of the expanded cybersecurity landscape of the API-first era. While these challenges may be impossible to solve completely, enterprises must strive to overcome them -- or at least get a handle on them -- to the greatest extent possible. 

Software is eating the world, APIs are eating software, and attackers are eating APIs 

New levels of connectivity have expanded the customer experience beyond the product itself. Customer experience now extends to the software features that are streamed into the product post-purchase, both by the brand and by 3rd party partners. Consumers' expectations regarding the ability to integrate different software from different devices into a product have become the norm. 

Many products now leverage APIs as a gateway to delivering new software -- features, capabilities, and upgrades -- into the product itself. This software can provide anything from weather and traffic updates to security enhancements and 3rd party games.  

This new reality means that brands are contending with new issues like software supply chains, SDKs, and open-source software, meaning that brands must rethink their security approach towards an open perimeter that enables interaction with external actors. This transition requires that products delivered to the consumer accommodate augmented features and services delivered via APIs. 

Join the upcoming executive series on enterprise API security
Intro 400x400

We can look at APIs as standardized, reusable capabilities. Developers can relatively easily use a set of different APIs to build a mix-and-match, customized unique product that integrates different services from the brand and its partners. APIs are a sort of contract between the brand and the consumer regarding a specific capability. 

This powerful combination -- an easily implemented, standard reusable capability -- is at the core of API popularity. The modern, connected automobile is a great example: Connected vehicles are “API-consuming machines” that leverage APIs in everything from charging infrastructure, infotainment systems, diagnostics, Bluetooth, and more. The vehicle has become an interconnected hub of APIs, a centralized product that incorporates a myriad of different software services delivered via API.  

And, unsurprisingly, hackers are all too aware of this. 

Cybercrime is a $600B business with 75% of attacks targeting APIs. Why APIs? Because that’s where the data is coming from and attackers follow the data. APIs transfer valuable data about consumers including financial, private, and identifiable information. Attackers are very aware of the profits awaiting them upon a successful API breach that enables access to this data. That’s why API protection is becoming such a big deal. 

1. Continually aligning communications

Most large-scale enterprises boast workforces that reach into the tens of thousands with dozens and even hundreds of development teams working on different projects. These employees are usually distributed around the world, across different regional offices. But no matter how large they are, or how much technology they have in place when it comes to security, enterprises must act in unison and strictly apply organizational procedures regarding cybersecurity. The challenge is ensuring that communication concerning security practices is aligned across the enterprise, ensuring that everyone embraces best practices that keep the enterprise safe. 

Ford, for example, has “guardrails” put in place that protect the company, ensuring that no one flies off the road. However, these guardrails are a last resort; proper use of “street signs” and “lane markers” can keep employees from hitting the guardrails. This is why proper security tools put in place and security standards well-communicated are essential to ensuring that enterprises never need to use the guardrails. 

Guardrails

This approach also proves helpful when facing another challenge: going “off the road” to drive innovation, and so security practices must allow for it. Compensating controls and deviation processes are two ways to enable policy exceptions that help spur innovation. Going off the road in the name of innovation can be very messy, but is necessary for the health and survival of the enterprise.

Cybersecurity isn’t actually about security, but rather about generating a feeling of shared responsibility that incorporates people, processes, and technology working together to minimize business risks. 

2. Intentional API design

Intentional API design refers to the process of building APIs into the product in a way that delivers a reusable capability that can easily be consumed while ensuring that no additional information that isn’t relevant to the capability is exposed. This is a deep process and mindset shift that ultimately delivers greater consistency, control, and visibility.  

At Ford, they’ve adopted the API contract as a single source of truth. The API contract is treated as a deal between the brand and the consumer that details the service of the API and commits the brand to ensure it is simple to use and secure. Defining these contracts is critical, as an ill-defined contract can easily result in data breaches. Moreover, well-defined contracts can deliver huge benefits in terms of automated testing. 

At Imvision, we use the contract as a shared standard between the consumer, APIs, development, and cybersecurity teams. We check to see that the API meets the conditions laid out in the contract, both in terms of the service provided to the consumer and the security standards implemented. 

3. A seamless automated API ecosystem

Creating a seamlessly automated API ecosystem that simplifies security-driven development is critical to transitioning to a security approach suitable for the API-first era. 

  • First off, discovery is required to fully understand how the organization is currently using APIs. How many are there? What are they being used for? Who is using them? 
  • The next step is ensuring smooth access management to guarantee that users can sign up and start accessing an API within 5 minutes or less. 
  • Streamlined API publishing is essential in a global operation where regulations and time differences can complicate matters. For example, privacy laws mandate that data stays within the geo where it was generated. At Ford, for instance, they created an API to publish APIs, so that developers don’t have to deal with all the complexity. This empowers the publishing of geo-specific APIs, and enables key metrics and observability platforms that show how each API is performing. Automation is key to this transition. 
  • Last but not least, make sure you have access to meaningful API metrics. This enables you to better understand and act upon your risks. Know how your APIs are being used, how many you have, quality scores, call volumes, and trends.

4. Address the Full Lifecycle: Shift-left and Shield right

tree-746617_1920

API automation drives a better understanding of the API inventory. This enables enterprises to find defects earlier before APIs are published. Using the API contract, enterprises can promote a shift left policy that mandates greater cybersecurity focus during the development phase. Enterprises use static analysis based on the API contract to ensure that the API was developed according to expected best practices before it’s published. 

Even if development and testing are done according to best practices, some vulnerabilities always get through. Shield right enables enterprises to respond and react quickly to any attempt to breach them. 

Enterprises must adopt both a shift left and shield right cybersecurity posture to secure their APIs.

Learn how the Imvision platform can help you shield right

You can also take advantage of your cybersecurity community. Coordinated vulnerability disclosure and bounty bug programs are two great ways to do just that. These steps galvanize the security researchers that make up your community to put their combined experience at your disposal.

It’s time to bullet-proof your APIs from potential attacks