A Modern Approach to Securing APIs

The nature of applications has changed from monolithic applications deployed on individual web servers to containerized, cloud native applications distributed across a cluster of nodes. With the emergence and popularity of cloud native applications, APIs have become critical to the modern applications we rely on — from mobile to SaaS — as organizations share vast amounts of data with customers and external users.

On average, modern web applications depend on 26 to 50 APIs to power them, which has expanded the attack surface of an application, increasing the need to secure APIs for stronger authentication, authorization and data privacy to keep applications running. Additionally, with the widespread adoption of public clouds to host web applications, security and developer teams contend with a perimeter-less network that constantly exposes applications to internet-borne threats. For instance, in a recent report, nine out of the top 10 vulnerabilities on internet-facing cloud hosts were found to belong to web/API applications.

Unsecured APIs make easy targets for threat actors to gain access to valuable data and resources within applications across the enterprise. Take the recent Optus breach, for example. It exposed 10 million customer accounts due to an internet-facing API that did not require authorization or authentication to access customer data.

The reality is that 75% of organizations are deploying new or updated code to production weekly, and almost 40% commit new code daily. Security teams struggle to keep pace with application developers to ensure all APIs are secure. In a recent report, 41% of organizations say that their security teams lack visibility and control in the development process, and 40% report new builds are deployed to production with misconfigurations, vulnerabilities and other security issues.

A Holistic, Agile and Modern Approach to Securing APIs

You can’t protect what you cannot find. Security teams need visibility across their potential API attack surface, which many of them don’t have. Although many may have multiple API security products in place, 92% of organizations experienced an API-related security incident last year.

In a perfect world, each API would be registered and monitored; however, that’s not the reality with the pace of the modern engineering ecosystem. As more cloud native applications are developed and deployed, the number of microservices and, in turn, the number of APIs grow and become increasingly difficult to monitor and secure.

Additionally, because APIs are increasingly exposed to the public, organizations must address data exposure risks by implementing best practices to minimize the attack surface, remediate vulnerabilities and prevent threats in real time without slowing down developers. Three practical approaches to API security focus on:

• API risk profiling: Due to the speed of application development, it’s challenging, without automation, to track risks associated with APIs. Risk profiling allows security teams to minimize the API attack surface and manage protection based on risk factors, such as misconfigurations, exposure to sensitive data and lack of authentication.
• Shifting left with application security: While you should monitor and inspect web applications and API traffic within production environments to detect risks, developers and security practitioners should strive to catch risks before applications are deployed into production. By shifting security left, vulnerabilities and misconfigurations can be fixed in real time while the developer is still building the application, which facilitates a more efficient and less costly resolution of security problems before the software is in production.
• Multiple layers of defense: Even if attackers circumvent one protection, you can keep them from compromising the entire environment without affecting additional resources. For cybersecurity practitioners, this is known as the “Swiss cheese paradigm.” In this analogy, the cybersecurity risk of a threat becoming a reality is mitigated by different layers and types of defenses that sit on top of one another to prevent a single point of failure. The top layer should include visibility and monitoring of the attack surface, which can auto-discover all web applications and API endpoints. The second layer should include policies for HTTP requests and API calls to block malicious threats. The third layer should include vulnerability and compliance scanning that implements strong authentication to further product applications. Lastly, teams should look to protect their workloads or the infrastructure layer, such as hosts, VMs, containers and serverless functions that host the applications. Together, these layers decrease the chances of a successful attack.

The complexities of today’s cloud native, API-centric web applications and the microservices they leverage are full of new security challenges that require strategies and solutions to complement conventional approaches to security while keeping developers top of mind. Developers and security practitioners should work together to find solutions that enable scalable, flexible, multilayered security that works for any type of workload in any environment or cloud architecture.