Today we released a new resource for security leaders – “A CISO’s Guide to API Security.” At Salt Security, we have always put education front and center in everything we do. We made a conscious decision to focus on market education starting from our founding in 2016. Last year, we strengthened that commitment with the formal introduction of Salt Labs, a public forum for publishing research on API vulnerabilities.
In this new guide, we take a close look at the special challenges CISOs face with increasing API usage and evolving security requirements. Digital transformation has driven unparalleled business opportunities. Yet, at the same time, the APIs powering all of this digital transformation have expanded security risks.
Our guide outlines why APIs present CISOs with the biggest risk in their technology stack.
Many enterprise companies from Parler and Experian to Facebook and Peloton have suffered API incidents. The costs of these types of attacks can be crippling to a business, affecting consumer trust, reputational damage, and loss of revenue.
We work with security leaders every day. We talk with them about their biggest concerns and what led them to invest in API security. Their stories reinforce the importance of our educational efforts.
Security leaders know that the API environment is dynamic and expanding rapidly. As API usage increases, so does the attack surface.
“The scope of the APIs is constantly growing. We are always adding new APIs to introduce new features. We are providing APIs as our product, and security is going to be an important part of that product.” David Biesack, Chief API Officer at Apiture.
In our new guide, we provide CISOs with focused insights on the three pillars of API security, including:
If CISOs don’t have visibility into their APIs, they can’t understand their full business exposure or adequately prioritize their risk management.
Tyler Warren, Deputy Information Security Officer at real estate leader Prologis, put it this way in our recent CISO panel at the API Security Summit:
“You can’t really protect anything that you don’t know about, so an important job of security is inventorying what you really have for asset management. Nobody likes being wrong, but I think my guess at APIs we had was off by a factor of ten of what was actually out there, as opposed to what I said we had.”
Security leaders must have the ability to see their APIs in action in order to spot trouble areas. APIs are not just straight code. You need to see APIs being exercised to identify logic flaws. This requires continuously monitoring APIs to identify any patterns and to understand what’s normal versus abnormal behavior. Only with this level of context will organizations be able to identify malicious behaviors.
Runtime insights are also important to bring your API security learnings back to the development team, so that they can take those learnings and apply them to harden APIs as they are building them.
In addition, it’s worth noting that a CISO’s success doesn’t rely on these capabilities alone. APIs span all areas of an organization. Security leaders must build a strong security culture throughout the organization, so that everyone understands what is at stake when it comes to API security. APIs are the entry point to your organization’s most critical data and services. Their protection is crucial to reduce risks, maximize program value, and generate growth.
Salt Security is the pioneer and industry leader in API security. We are committed to making your APIs attack proof and accelerating business innovation. Education is a key component of that effort. We hope that you find our new and complimentary guide informative and helpful as you look at implementing API security within your own organization.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.