As more companies expand digital routes to market, developers are gravitating to new easy-to-use and scale cloud platforms to deliver new features faster than ever before. As a result, security teams are now faced with new challenges to manage and protect these new service-based application architectures built completely on the public internet.
Traditional approaches, such as data center firewalls or web application firewalls (WAFs), can now be circumvented, creating a forcing function for leaders to re-evaluate their entire security programs. The focus moving forward needs to be around application layer vulnerabilities at their core.
Companies today need to be armed with a deeper level of inspection to understand if authentication, authorization, availability, and encryption are working as they should from a security evaluator perspective. This is essential in industries that are heavily regulated and store very sensitive data, such as healthcare and finance.
APIs are Essential
Without APIs there would be no cloud computing, social media, or Internet of Things (IoT). APIs transfer data across a full stack application and throughout the internet; they are the glue that keeps digital transformation and innovation intact and progressing forward.
According to a Gartner (News - Alert) report on its API Strategy Maturity Model, web applications already see 40 percent of their attacks coming through APIs instead of user interfaces. The same analysts also predict this number will increase to 90 percent in 2021. Since APIs help expand the business, streamline processes, and make life easier for developers, they are essential to businesses and continue to expand. As we have seen, so have their attackers and opportunities to wreak havoc on organizations. This is because APIs also comprise a vast and constantly expanding attack surface.
APIs are most frequently the source of data breaches and leaky data. With all of these microservices, there is a lot of code being slung into the cloud or to web apps, making it difficult to inventory, assess risk and secure the vast amounts of APIs. APIs ultimately provide a treasure map for hackers that can help them find the most vulnerable attack vector for data exfiltration.
Securing all these APIs
Before approaching API security, the biggest question we need to ask ourselves is, “What is the process for discovering new or changed APIs or microservices? Can we comfortably say we know where all our APIs are? Of the ones we can find, what is their security posture?”
API discovery can change everything about a company’s approach to application security. It is the first step in visualizing the entire application attack surface. Not only are APIs continuously added to an application, but they are often consumed and utilized from third-party developers and open-source libraries.
A best-in-class security strategy and approach needs to include 24/7 awareness of every API being utilized and all client data being processed by these APIs at every layer of the application stack. For example, mobile applications will typically include 12 to 18 third-party SDKs. This means that a typical mobile application will need to be continuously scanned statically and dynamically for security issues within both the native code as well as third-party open source and commercial SDKs.
Since APIs can be called from anywhere in the application stack to access data, powering your mobile app to perform as a single vehicle for multiple users, they simultaneously provide single entry points to this sensitive data that is stored throughout your stack. Most companies purchase mobile app scanners or hire consultants to do quarterly audits to find vulnerabilities. That is not enough to track daily API changes and vulnerabilities until it’s too late.
Similar to mobile applications, traditional web app scanners lack the ability to add security insights into Single Page Applications (SPAs) because of the dynamic and real-time rendering nature of the SPA architecture. They do not know how to see the API data transport layer that makes these new web app architectures so popular with modern developers.
Best-in-class API security requires full-stack security analysis of both mobile and modern web apps. Data often starts at the client layer with a web or mobile app before it gets taken to the cloud. Securing sensitive data and protecting user privacy is a constant effort that requires continuous vulnerability analysis from mobile to web to backend cloud services. Today’s attackers often focus on exploiting the client layer to highjack user sessions, embedded passwords, and toxic tokens left inside mobile apps or SPAs.
Protecting APIs also requires auto-remediation that is fully integrated into the CI/CD pipeline. I am not talking about assessment tools integrating into the CI/CD pipeline and reporting found vulnerabilities to systems such as Jenkins, Bugzilla and Jira – that is table stakes for assessment tools. What’s needed is auto-remediation of the issues in the CI/CD pipeline. Instead of waiting for manual vulnerability verification and then remediation, today’s API security needs auto fixes, freeing developers from having to spend time resolving common issues.
Advanced API security can even take it a step further and offer automated vulnerability hacking toolkits for scheduled pre-production assessments. Similar to the consultant scenario described above, white hat hackers are hired to administer moment-in-time penetration tests in pre-production environments. Advanced options deploy toolkits that perform the same hacking activities, but on a continuous basis. Not only is using such a toolkit much more cost effective, but it also works non-stop to find and fix vulnerabilities.
APIs are essential. They are all about connecting and collaborating to share information, but care needs to be taken to ensure that sensitive data is not left naked on the internet via public-facing mobile, web, and cloud applications.
About the author: Felicia has over 15 years' experience working with development, engineering, product, sales and marketing teams at IBM (News - Alert), Cloudera, TIBCO and now Data Theorem. She is passionate about bridging the communication between business stakeholders and technical teams to help accomplish big things.
Edited by Erik Linask