Could you imagine our interstate highway system without roadway bridges? I don’t think anyone would argue that bridges are not an essential part of an effective ground transportation network. So it doesn’t surprise me that when I ask people what makes a highway bridge “good,” I get quick responses with pretty consistent answers: guardrails, proper lighting, clear signage, smooth driving surface, lane markings, load capacity, structural integrity, and so on. The more elements missing, the more risky the bridge. No one wants to drive across a risky bridge.
(There is a point to this.)
Now let’s shift to today’s applications that consumers and businesses rely on daily. All of these applications are powered by and rely on APIs to function. APIs are essential to bridging critical connections in transformation projects, microservice driven app modernizations, AI powered systems, mobile and web applications and much more. Yet, when I ask various application lifecycle personas in an enterprise what makes a “good” API, there is no quick response. And, the responses received tend to be different from one persona to the next. If we don’t know and are not in sync to what makes a good API, how can we trust what was built? How do we gauge how risky it is and how do we ensure that future APIs are not putting the enterprise at risk?
In recent years, as APIs proliferated the enterprise, their existence gave cause to some major security concerns. Organizations first looked to augment their existing web application security tools and processes to “address” API security. Unfortunately, the security challenges associated with APIs can't be solved by simply updating existing testing tools and edge security defenses to check-the-box technologies that claim to provide "API security." Risky API security posture, misconfigurations, and logic based vulnerabilities continue to plague security teams, while leaving threat actors with a low barrier to breach. It has become clear that organizations don't have an API security tooling problem, they have a strategy problem.
The problem is not going away in 2024. API production and usage will continue to increase rapidly, especially as many organizations in 2024 adopt more AI (artificial intelligence) driven processes and solutions in their business. AI needs data, and APIs are the vehicle for that data - and much of that data will be business critical or sensitive data. In these scenarios API sprawl is too risky. We will also start to see many organizations begin to leverage generative intelligence to develop APIs. This can not be done without major risk unless organizations have created and mandated corporate standards on what a "good" API actually is from a security standpoint.
To effectively reduce risk, organizations must adopt a strategy that helps mitigate risk now and ensures long term risk reduction. A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. The truth of the matter is that most organizations moved full speed ahead on their API-first journeys without putting the proper API posture guardrails in place first. So for many of those organizations, the first step in their posture governance journey is to understand what API assets exist in their environments (API asset discovery), the potential attack surface those assets create, and capture contextual intelligence from those assets. (How are they used? What business unit or business function are they related to? What data in motion is associated with them? How are they structured and architected? What security attributes are associated with them, such as authentication type, rate-limiting, etc.?)
With that intelligence, organizations can start to define what “good” means to them, and create and document corporate API posture standards and policies, including adopting best practices and addressing regulatory requirements, that are relevant to their business and environment. These standards have become the source of truth that synchronizes, educates, and impacts the behaviors of all API lifecycle stakeholders and the technologies they are responsible for.
For example, let’s say an organization has adopted an API standard that declares that userids must always be in UUID format. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs and codes an API to be compliant with that standard, but also how an architect designs their solutions, and influences how appsec tests the API. In another example, consider a manufacturing company that mandates an API standard that requires that all external facing APIs that deliver CAD design documents be over an encrypted channel, authenticated via JWT, and must always be served by a particular API gateway, behind a particular CDN. That policy would directly impact and influence the behaviors of the various lifecycle stakeholders, ensuring the production of a low risk API product.
An effective API posture governance program should not only have the ability to author and set policies, but should also have the ability to continuously assess if APIs in use are in compliance with corporate standards, best practices, and regulatory requirements. Processes should be in place to prioritize and remediate non-compliance swiftly and effectively, and work to ensure the source of non-compliance in order to avoid making the same mistakes over and over again.
API posture governance is foundational to behavioral threat protection.
It is well known that many API attacks are logic attacks, and the behaviors associated with those attacks typically evade traditional web defenses in use by more organizations. API behavioral anomaly detection is not easy. It takes lots of data and lots of cloud compute power to effectively and accurately identify anomalous behavior. An API posture governance program provides the foundation for a successful behavioral threat protection program by supplying it with the context rich API intelligence needed to help distinguish between benign anomalies and malicious intent. This intelligence also helps security teams more effectively, triage, prioritize, contain, and remediate production threats and vulnerabilities uncovered at runtime.
At Salt, we created the API security space and have analyzed trillions of API calls in the wild. For years we have educated the world on the security challenges associated with APIs while offering solutions to combat those challenges. As the application world has shifted and transformed, and as API-first has accelerated, it is more apparent than ever that a well executed, risk reducing API security strategy must consist of a progressive journey that addresses both API posture governance and API behavioral threat protection. We are thrilled to announce advancements in the Salt API Security Platform that help better guide our customers through that API risk reduction journey, ensuring secure API driven success for their businesses.
Some of the major advancements and deliveries announced this week include:
We are thrilled to start off 2024 with these exciting new capabilities and look forward to sharing them with the world. Contact us to learn more about these new capabilities and how the Salt Security API Protection Platform can help your organization realize short and long term API risk reduction and achieve secure API driven success. To learn more about Salt’s API posture governance engine, join our webinar, “A New Strategy for Reducing API Risk,” on Tuesday, January 30 at 9am PT/12pm ET. Register here.
Salt Security Chief Marketing Officer, Michael Callahan, reflects on his first 90 days with the company and shares his observations and optimism!
We’re thrilled to share that Salt has launched extended capabilities to our powerful platform, adding yet another industry-first technical advancement to our trophy case!