Engineering leaders have a lot on their plate, and keeping up with the latest technologies and security requirements can be a challenge. With the proliferation of APIs in all modern applications, understanding the ins and outs of APIs is more critical than ever.
Gartner analysts Mark O'Neill and Shameen Pillai recently released a report with ten things every software engineering leader should know about APIs. These insights aren’t limited to just engineering leaders. The report provides valuable insights to developers, security teams, and anyone who has a role in designing and delivering API-based applications. Here are five key takeaways from the report:
Gartner updates their view with the prediction that “By 2024, API abuses and related data breaches will nearly double.”
While it’s hard to quantify what that means, the big takeaway is that attacks targeting APIs are rapidly increasing, and any organization building APIs should take notice. Recently reported API security incidents include well-known companies such as Peloton and Experian, who arguably have strong security programs in place. Even so, their APIs were vulnerable to attacks.
Our State of API Security Q1 2021 report showed that 91% of respondents had suffered a security incident in their production APIs in 2020. The report also showed that even before a breach happens, API security concerns negatively impact business with 66% of survey respondents saying that they had delayed the deployment of a new application because of API security concerns. It’s clear that having a well defined API strategy that includes security is important now more than ever.
A well-defined API strategy is a goal and not a current reality for many organizations, so don’t feel bad if you’re not there yet. Gartner predicts, “By 2025, more than 80% of organizations will identify themselves to have implemented advanced or expert level API strategies,” so you still have time.
Having a strategy can provide benefits that include efficiencies in development, enabling API reuse, ensuring alignment with business goals, and ensuring security effectiveness throughout the API lifecycle.
Part of the strategy entails governance, but Gartner points out that governance should not introduce bottlenecks. One reason APIs are so popular with developers is that they are one of the key components enabling rapid development. Implementing governance that gets in the way of rapid development will not only be unpopular with developers but will also give them reason to look for ways around speed bumps, therefore defeating the purpose. Ensuring governance integrates with development pipelines, workflows, and is transparent to developers will help to ensure adoption.
Another critical component of governance is centralization. Gartner suggests the concept of a central API platform team rather than allowing each group developing APIs to set their own standards. With a trickle-down approach, a central API team can define an overall API strategy, best practices and implement tools to standardize the management and security of the API portfolio. A feedback loop between the central API team, product teams, and security helps ensure that standards are followed and meet business objectives without getting in the way of development.
When it comes to security, having an API strategy ensures that organizations have a handle on their attack surface and exposure. APIs are often part of rapid development resulting in constant change. A strategy can help to minimize sprawl which can result in unknown shadow and forgotten zombie APIs.
Another essential component of an API strategy is acknowledging that APIs have a life cycle beyond development. That lifecycle includes design, implementation, deployment, versioning, and finally, retirement. Each stage can have its own set of tooling and security requirements, and understanding those unique requirements will allow you to implement the right solutions.
Revenue is the easiest way to map the value of an API to the business but not every API is directly tied to revenue. Just because an API isn’t monetized doesn’t mean that it’s not valuable to the business. APIs are core to digital transformation and enable organizations to rapidly innovate and create differentiated solutions for customers and partners. This type of agility is invaluable to any organization.
Just because an API is not tied to revenue doesn’t mean that security should be a lower priority. When it comes to security, the value of the data an API exposes is an equally essential factor for prioritization, as is the value of the service the API enables. Attackers don’t always target services that generate revenue and are often after the personal data behind the scenes.
APIs are continuously changing and being updated, making the task of maintaining an up-to-date view of your APIs and attack surface a constant challenge. Garter points out that it’s critical to discover your APIs before attackers do, and it’s not uncommon that attackers have a better view of your APIs than you do.
Given the increasing volume of APIs combined with the constant rate of change, manual efforts of documenting and cataloging will quickly become ineffective. Back to the previous section about strategy, anything you put in place needs to be as transparent as possible to developers, and that’s an opportunity to apply automation.
Automating API discovery, documentation, and cataloging not only takes that task off the plate of developers, it also ensures that you end up with a view that’s complete, up to date, and accurate. This benefits the reuse of APIs and helps security teams understand the true attack surface and understand when that attack surface changes. Another benefit of automation is identifying shadow and zombie APIs to eliminate any unknown attack surface.
It’s not enough to know that you have an API; it’s also critical that you know granular details about the API, such as the intended function and the data it exposes. This level of detail helps other developers with reuses and enables security and development teams to align on risk and look for ways to reduce or mitigate that risk.
Gartner states that API management tools vary widely, and these tools must align with the needs of each group. The result is that a typical organization will end up with multiple API gateways from multiple vendors to meet the unique requirements for each product group in your organization.
Some of these tools come with basic security capabilities that by no means provide comprehensive protection against API threats. While authentication, authorization, encryption, and rate-limiting are foundational to security, these capabilities do little to protect from the top threats outlined in the OWASP API Security Top 10. Their effectiveness reduces further with products from multiple vendors that have varying capabilities.
Security should be decoupled from management and is one thing that is critical to centralize and standardize, especially for protecting APIs at runtime. A standardized security solution for your APIs will help ensure that you have a complete, centralized view of all your APIs and consistent protection regardless of the API management tools in use.
It’s also important that your runtime security solution has the ability to integrate with the variety of API gateways in your environment. Integration between an API gateway and API security solution can aid in API discovery and the ability to quickly take action to stop attacks.
Efforts to improve API security in development are important, but “shift left” is not the full answer. You need to think of the full lifecycle of an API and consider the security requirements at every step. Implementing runtime protection for APIs is a crucial component of protecting your vital data and services. And insights from an API security solution can also provide a valuable feedback loop to dev teams to improve security.
The Salt solution provides discovery of APIs, runtime protection, and insights to help development teams eliminate vulnerabilities. Salt uses big data to collect API traffic from a variety of sources such as API gateways and applies AI and ML to analyze the activity of millions of users in parallel to gain the context needed to identify and stop attacks.
Through analysis of API traffic, Salt also automatically discovers all your APIs, ensures accurate documentation, and provides feedback to your developers to help you continuously improve API security. Salt does not require changes to application code and is not inline, so there’s no impact on developers or applications.
As you’re building out your comprehensive API security strategy, reach out for a personalized demo to learn how Salt can help protect your APIs.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.