At our recent API Security Summit – the industry’s first summit dedicated entirely to API security – we had the opportunity to chat with six senior security executives about their approaches to protecting these vital assets. APIs are essential to innovation and delivering new services, but APIs have also become the number one attack vector for applications today. We wanted to understand how CISOs are managing the risk.
Our panel included:
David Biesack – Apiture
Jack Hart – City National Bank
Tom Salmon – bp Launchpad
Jeff Serota – Ally Bank
Nir Valtman – formerly at Finastra
Tyler Warren – Prologis
Each of them shared their experiences in implementing and managing API security within their organizations. We’ve highlighted four of the key takeaways from the session below and also invite you to listen to the entire session.
We’re not trying to break builds. We’re trying to build relationships.
The panelists agreed that making the corporate culture more “security aware” was one of the most challenging, yet most important, aspects of the API security journey. Moreover, the onus must be on the security team to build and maintain a good relationship across all areas of the organization. A model built on strong cross-functional collaboration makes it easier to achieve security’s objectives.
Security must explain why API security requirements matter to the company and how they help reduce business risks. Security leaders also need to clearly spell out those risks. According to panelists, this aspect can be a struggle and particular situations, such as breaking builds, can be sensitive. But a security-driven approach is vital to reflect the seriousness that a company applies to its API program and its potential impact on the business.
To meet its security requirements, the security team also has an obligation to deliver the fit-for-purpose tools that help empower others to meet those objectives. Rather than saying, “No, you can’t do that,” security needs to provide the answers and solutions to do things in a better way that reduces risk.
While CISOs need a centralized way to secure API traffic, they also need to instill a cross-functional security mindset for program success.
“We use APIs right now for everything from partner interactions to customer interactions to building our code. Our AWS environment is completely Terraform, so we use APIs to control that. APIs are core to everything we do.” - Jeff Serota, Ally Bank
By definition, APIs touch practically everyone in an organization, from infrastructure to networking to business development to customer experience. APIs are also owned by different teams. Engineering owns a portion; product owns a portion, and so on.
On top of that, within one organization, there can be multiple types of APIs, such as:
Attacks across these different types of APIs vary, and security teams have to validate the security measures within each of those channels differently.
Regulator interest has also increased with the rapid growth of APIs. Regulators are knocking on company doors, asking questions, and want to know how businesses are approaching API security.
“My goal is to keep the word ‘APIs’ out of the regulators’ mouth 100%. We are growing like crazy, and that brings a lot of regulator interest.” - Jack Hart, City National Bank
The panelists stated that API security must be intrinsic to API usage and management. To manage risks, CISOs must ensure that API security is built into the entire process and pipeline.
“We know that people will be building solutions on top of these APIs, but we also know that people will be trying to attack them. APIs have become an attack vector for systems, and it’s important for us to manage that risk as much as possible.” - David Biesack, Apiture
In addition, API security needs to be its own program, with its own training and its own management. As a fundamental component of your platform, it needs to be something a security team starts with, rather than something bolted on after the fact.
As validated by Gartner, API security has become its own essential category in securing platform services. To effectively manage that risk, organizations need dedicated API security.
“Any API introduced has to go through security review. Anyone that wants an identity that interacts with APIs has to go through security approval. Everything has a security presence.” - Nir Valtman, formerly Finastra
Many companies have gone from very limited API development to massive – and public-facing – development. The footprint of an organization’s APIs is constantly expanding.
Existing solutions, such as WAFs, can’t keep up with these API security needs. WAFs lack identity context and simply don’t provide the visibility required for API security management. Although one organization tried to use their WAFs initially, they just couldn’t keep up.
“A WAF in front of an API falls down. It doesn’t protect against these threats. It doesn’t provide the visibility you need – not to mention that if you don’t know all your APIs out there, or that they even exist, it’s really hard to protect them.” - Tyler Warren, Prologis
The Q1 2022 State of API Security report found a nearly 700% increase in API attack traffic in the past 12 months. If an API is down, that’s thousands of possible interactions that can be lost or broken. As one panelist summarized, this is the future, and companies need to invest and get API security into their stack.
“API security is non-negotiable. It’s not something you want to do after the fact. Security is a fundamental component of your platform. It’s something that you start with and think around and build into developer training programs.” - Tom Salmon, bp Launchpad
The bottom line is that any company that develops software has APIs. Within those API-driven organizations, there must be an understanding that API security is not a cost of security. Paying for API security is the cost of doing business.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.