Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

4 Ways Today’s CISOs Must Address API Security

Jennifer Dignum
Mar 10, 2022

At our recent API Security Summit — the industry’s first summit dedicated entirely to API security — we had the opportunity to chat with six senior security executives about their approaches to protecting these vital assets. APIs are essential to innovation and delivering new services, but APIs have also become the number one attack vector for applications today. We wanted to understand how CISOs are managing the risk.

Our panel included:

David Biesack — Apiture

Jack Hart — City National Bank

Tom Salmon — bp Launchpad

Jeff Serota — Ally Bank

Nir Valtman — formerly at Finastra

Tyler Warren — Prologis

Each of them shared their experiences in implementing and managing API security within their organizations. We’ve highlighted four of the key takeaways from the session below and also invite you to listen to the entire session.

Building the right culture matters

We’re not trying to break builds. We’re trying to build relationships.

The panelists agreed that making the corporate culture more “security aware” was one of the most challenging, yet most important, aspects of the API security journey. Moreover, the onus must be on the security team to build and maintain a good relationship across all areas of the organization. A model built on strong cross-functional collaboration makes it easier to achieve security’s objectives.

Security must explain why API security requirements matter to the company and how they help reduce business risks. Security leaders also need to clearly spell out those risks. According to panelists, this aspect can be a struggle and particular situations, such as breaking builds, can be sensitive. But a security-driven approach is vital to reflect the seriousness that a company applies to its API program and its potential impact on the business.

To meet its security requirements, the security team also has an obligation to deliver the fit-for-purpose tools that help empower others to meet those objectives. Rather than saying, “No, you can’t do that,” security needs to provide the answers and solutions to do things in a better way that reduces risk.

While CISOs need a centralized way to secure API traffic, they also need to instill a cross-functional security mindset for program success.

APIs touch all areas of the business

“We use APIs right now for everything from partner interactions to customer interactions to building our code. Our AWS environment is completely Terraform, so we use APIs to control that. APIs are core to everything we do.” — Jeff Serota, Ally Bank

By definition, APIs touch practically everyone in an organization, from infrastructure to networking to business development to customer experience. APIs are also owned by different teams. Engineering owns a portion; product owns a portion, and so on.

On top of that, within one organization, there can be multiple types of APIs, such as:  

  • Business-to-consumer (B2C)
  • Business-to-business (B2B)
  • Business-to-employee (B2E)

Attacks across these different types of APIs vary, and security teams have to validate the security measures within each of those channels differently.

Regulator interest has also increased with the rapid growth of APIs. Regulators are knocking on company doors, asking questions, and want to know how businesses are approaching API security.

“My goal is to keep the word ‘APIs’ out of the regulators’ mouth 100%. We are growing like crazy, and that brings a lot of regulator interest.” — Jack Hart, City National Bank

Security must be at the forefront

The panelists stated that API security must be intrinsic to API usage and management. To manage risks, CISOs must ensure that API security is built into the entire process and pipeline.

“We know that people will be building solutions on top of these APIs, but we also know that people will be trying to attack them. APIs have become an attack vector for systems, and it’s important for us to manage that risk as much as possible.” — David Biesack, Apiture

In addition, API security needs to be its own program, with its own training and its own management. As a fundamental component of your platform, it needs to be something a security team starts with, rather than something bolted on after the fact.

As validated by Gartner, API security has become its own essential category in securing platform services. To effectively manage that risk, organizations need dedicated API security.

“Any API introduced has to go through security review. Anyone that wants an identity that interacts with APIs has to go through security approval. Everything has a security presence.” — Nir Valtman, formerly Finastra

The old way doesn’t work

Many companies have gone from very limited API development to massive — and public-facing — development. The footprint of an organization’s APIs is constantly expanding.

Existing solutions, such as WAFs, can’t keep up with these API security needs. WAFs lack identity context and simply don’t provide the visibility required for API security management. Although one organization tried to use their WAFs initially, they just couldn’t keep up.

“A WAF in front of an API falls down. It doesn’t protect against these threats. It doesn’t provide the visibility you need — not to mention that if you don’t know all your APIs out there, or that they even exist, it’s really hard to protect them.” — Tyler Warren, Prologis

The Q1 2022 State of API Security report found a nearly 700% increase in API attack traffic in the past 12 months. If an API is down, that’s thousands of possible interactions that can be lost or broken. As one panelist summarized, this is the future, and companies need to invest and get API security into their stack.

“API security is non-negotiable. It’s not something you want to do after the fact. Security is a fundamental component of your platform. It’s something that you start with and think around and build into developer training programs.” — Tom Salmon, bp Launchpad

The bottom line is that any company that develops software has APIs. Within those API-driven organizations, there must be an understanding that API security is not a cost of security. Paying for API security is the cost of doing business.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection


Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

June 7, 2024

Eric Schwake
Head of Product Marketing

A Salt Security Perspective on the 2024 Gartner® Market Guide for API Protection

Salt Security's API Protection Platform is AI-infused and designed to address the challenges outlined in the Gartner report.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide