The only automated NLP-based API security platform that protects enterprise applications at scaleLearn More »
This article was originally published on Cyber Protection Magazine
To ensure the seamless experience today’s customers expect, modern enterprises have become proficient API machines to create the seamless experience customers expect. APIs help businesses innovate faster, break into new markets, stay ahead of the competition, grow, and monetize their assets. 80% of enterprises already publishing public APIs, offering diverse functionalities to clients and partners alike.
But like all good things, the API world is not a bed of roses. While the gains might outweigh the costs, there are certainly risks and costs. APIs are increasingly becoming critical business enablers, but at the same time introduce a growing complexity for enterprises. If they’re not properly secured, your APIs may be allowing unwanted access to the data and functionality they expose.
APIs are supposed to expose functionality and data, which is exactly what hackers want: data. Hence, APIs are subject to highly targeted attacks. Traditional application security solutions are ineffective against API abuse, making it more difficult for security leaders to understand exposure and manage risk.
What can companies do to close this gap and secure their APIs, as well as the rest of their digital assets?
API adoption is uncontrolled, widespread, and leaves many enterprise security teams facing a slew of APIs from various teams, uses, and platforms. Every new API increases the complexity of the application stack.
APIs are more than just data connectors. They shift the application’s functionality, moving much of the business logic from the backend to the frontend. Sophisticated attackers exploit business logic vulnerabilities as they learn the functionalities. Legacy application security solutions aren’t ready for this complexity.
Enterprise security leaders face three main challenges:
With these factors acting together, it becomes more difficult to see and control everything, work effectively with developers, stay on top of changes, and maintain a robust security posture. But perhaps the most important first step is that of ownership over API security.
Most enterprises today handle API security with centralized integration teams. As these teams commonly operate the API Management platform, it stands to reason that API security rests on their shoulders.
However, research shows that security leaders believe that they should be in charge of API security, alongside the API team.
This suggests collaboration is the best way forward: On the one hand, the experience from traditional areas of security (e.g. network and application) can be leveraged in an API security program; on the other, the nature of APIs presents unique challenges best understood by the API team.
With the rapid pace of development and the growing attack surface, application security in the API-first era requires a different approach. Security teams need to find new strategies to collaborate more effectively with developers, see and control everything in one place, and maintain a consistent security posture over time:
Collaboration – Aligning your security, development, and operations teams, helping security wield greater influence by speaking the developer’s language.
Centralization – Prioritizing and managing risks effectively depends on knowing exactly what you have and where your vulnerabilities lie.
Consistency – Automating for speed and accuracy at scale to eliminate bottlenecks, making sure every team has what they need to keep up.
To achieve greater collaboration, centralization and consistency, API security can’t be viewed in isolation. Protecting APIs during runtime isn’t enough, and testing APIs during design isn’t enough. Each would give a fragmented perspective that risks both high false positives and false negatives, and most importantly – won’t enable security and development teams to be on the same page and share the responsibility.
By embedding dedicated security controls across the different stages of the API lifecycle, enterprise security teams can take charge of their API security, and cultivate a secure API development culture. In turn, this approach would create a partnership over the responsibility between security and development, elevating security from a bottleneck to a key business enabler.