API Risk Management: A Strategic Approach to API Risk Reduction

The cost of not knowing what good is.

Could you imagine our interstate highway system without roadway bridges? I don’t think anyone would argue that bridges are not an essential part of an effective ground transportation network. So it doesn’t surprise me that when I ask people what makes a highway bridge “good,” I get quick responses with pretty consistent answers: guardrails, proper lighting, clear signage, smooth driving surface, lane markings, load capacity, structural integrity, and so on. The more elements missing, the more risky the bridge. No one wants to drive across a risky bridge.

(There is a point to this.)

Now let’s shift to today’s applications that consumers and businesses rely on daily. All of these applications are powered by and rely on APIs to function. APIs are essential to bridging critical connections in transformation projects, microservice driven app modernizations, AI powered systems, mobile and web applications and much more. Yet, when I ask various application lifecycle personas in an enterprise what makes a “good” API, there is no quick response. And, the responses received tend to be different from one persona to the next. If we don’t know and are not in sync to what makes a good API, how can we trust what was built? How do we gauge how risky it is and how do we ensure that future APIs are not putting the enterprise at risk?

In recent years, as APIs proliferated the enterprise, their existence gave cause to some major security concerns. Organizations first looked to augment their existing web application security tools and processes to “address” API security. Unfortunately, the security challenges associated with APIs can't be solved by simply updating existing testing tools and edge security defenses to check-the-box technologies that claim to provide "API security."  Risky API security posture, misconfigurations, and logic based vulnerabilities continue to plague security teams, while leaving threat actors with a low barrier to breach. It has become clear that organizations don't have an API security tooling problem, they have a strategy problem.

The problem is not going away in 2024. API production and usage will continue to increase rapidly, especially as many organizations in 2024 adopt more AI (artificial intelligence) driven processes and solutions in their business. AI needs data, and APIs are the vehicle for that data - and much of that data will be business critical or sensitive data. In these scenarios API sprawl is too risky. We will also start to see many organizations begin to leverage generative intelligence to develop APIs. This can not be done without major risk unless organizations have created and mandated corporate standards on what a "good" API actually is from a security standpoint.

Defining and sharing what good means.

To effectively reduce risk, organizations must adopt a strategy that helps mitigate risk now and ensures long term risk reduction. A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. The truth of the matter is that most organizations moved full speed ahead on their API-first journeys without putting the proper API posture guardrails in place first. So for many of those organizations, the first step in their posture governance journey is to understand what API assets exist in their environments (API asset discovery), the potential attack surface those assets create, and capture contextual intelligence from those assets. (How are they used? What business unit or business function are they related to? What data in motion is associated with them? How are they structured and architected? What security attributes are associated with them, such as authentication type, rate-limiting, etc.?)

With that intelligence, organizations can start to define what “good” means to them, and create and document corporate API posture standards and policies, including adopting best practices and addressing regulatory requirements, that are relevant to their business and environment. These standards have become the source of truth that synchronizes, educates, and impacts the behaviors of all API lifecycle stakeholders and the technologies they are responsible for.

For example, let’s say an organization has adopted an API standard that declares that userids must always be in UUID format. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs and codes an API to be compliant with that standard, but also how an architect designs their solutions, and influences how appsec tests the API. In another example, consider a manufacturing company that mandates an API standard that requires that all external facing APIs that deliver CAD design documents be over an encrypted channel, authenticated via JWT, and must always be served by a particular API gateway, behind a particular CDN. That policy would directly impact and influence the behaviors of the various lifecycle stakeholders, ensuring the production of a low risk API product.

Assessing compliance with good.

An effective API posture governance program should not only have the ability to author and set policies, but should also have the ability to continuously assess if APIs in use are in compliance with corporate standards, best practices, and regulatory requirements. Processes should be in place to prioritize and remediate non-compliance swiftly and effectively, and work to ensure the source of non-compliance in order to avoid making the same mistakes over and over again.

API posture governance is foundational to behavioral threat protection.

It is well known that many API attacks are logic attacks, and the behaviors associated with those attacks typically evade traditional web defenses in use by more organizations. API behavioral anomaly detection is not easy. It takes lots of data and lots of cloud compute power to effectively and accurately identify anomalous behavior. An API posture governance program provides the foundation for a successful behavioral threat protection program by supplying it with the context rich API intelligence needed to help distinguish between benign anomalies and malicious intent. This intelligence also helps security teams more effectively, triage, prioritize, contain, and remediate production threats and vulnerabilities uncovered at runtime.

Salt Security’s latest product updates.

At Salt, we created the API security space and have analyzed trillions of API calls in the wild. For years we have educated the world on the security challenges associated with APIs while offering solutions to combat those challenges. As the application world has shifted and transformed, and as API-first has accelerated, it is more apparent than ever that a well executed, risk reducing API security strategy must consist of a progressive journey that addresses both API posture governance and API behavioral threat protection. We are thrilled to announce advancements in the Salt API Security Platform that help better guide our customers through that API risk reduction journey, ensuring secure API driven success for their businesses.  

Some of the major advancements and deliveries announced this week include:

• Industry’s first API posture governance engine - Which helps organizations minimize risk on their API first journey, by having the ability to author corporate standards for API posture, and assess compliance with those standards, along with industry best practices, and regulatory requirements. Unlike typical API security solutions that focus primarily on detection and mitigation of threats, Salt's platform introduces the first-ever engine dedicated to API posture governance. The new functionality helps ensure that all API lifecycle stakeholders (architects, developers, API product managers, AppSec, SecOps) are in sync and security standards are followed as an API makes its way through its lifecycle.
• New API filtering and querying capabilities - Which provides context rich API asset discovery and management, helping organizations mine more intelligence from their discovered API assets. This feature allows organizations to extract detailed insights about their APIs, such as their purpose, usage patterns, and associated risks. The ability to support “risk hunting” and create posture governance policies directly from these insights is a significant leap forward, offering a new level of depth and customization.
• Enhanced behavioral threat response capabilities - Which will provide SecOps personnel with the capability to more effectively prioritize, triage, and analyze API related security events, and drastically reduce mean time to respond and resolve. More API sprawl means more opportunity for threat actors targeting APIs. This trend will continue in 2024, as evidenced by Salt Security’s latest State of API Security Report, Q1 2023, which found a 400% increase in unique API attackers this last year and its State of API Security for Financial Services and Insurance Report where 92% of respondents say they have experienced a significant security issue in production APIs over the past year, with nearly one out of five have suffered an API security breach. Salt’s new attacker activity filtering, querying, and threat hunting capabilities leverages findings derived from industry's most mature and advanced behavioral threat detection platform, coupled with its context rich API asset intelligence. The integration of this advanced threat detection with API asset intelligence equips security teams with the tools to rapidly and effectively address API-related security events.
• New ecosystem enrichment capabilities - Which will share API intelligence with the broader lifecycle ecosystem. The platform's enhanced integrations with application security testing platforms, data enrichment through its public API, and advanced outbound integrations (like syslog and Splunk) are designed to ensure that API security is not a standalone effort but an integrated part of the broader security infrastructure. This holistic approach to API security, focuses on both internal asset management and external ecosystem integration. All of these improvements help organizations more easily share and operationalize Salt’s API asset and threat intelligence with existing security technology investments.
• Enterprise onboarding  and operationalization improvements - Which reduce API risk quickly with minimal operational friction. These latest updates aim to help ease this burden with new improvements in role based access control, improved integrations to corporate identity systems, enhanced system health management and audit controls, and improved data collection and data protection mechanisms.

We are thrilled to start off 2024 with these exciting new capabilities and look forward to sharing them with the world. Contact us to learn more about these new capabilities and how the Salt Security API Protection Platform can help your organization realize short and long term API risk reduction and achieve secure API driven success. To learn more about Salt’s API posture governance engine, join our webinar, “A New Strategy for Reducing API Risk,” on Tuesday, January 30 at 9am PT/12pm ET. Register here.