Application programming interfaces changed the way developers work by expediting and facilitating several core aspects of the process, from feature addition to new language localization.
However, as the enterprise navigates today’s atmosphere of magnified cybersecurity threat instances, the approach to securing APIs must be distinct from the other assets in an organization’s digital infrastructures for efficacy.
“The more critical APIs become, the more important it is to look at the API as really a unique class of assets,” said Karl Mattson (pictured), chief information security officer at Noname Security. “Because the security controls we employ — from configuration management and asset management to application security, both testing and protection, like endpoint detection and response — and the platforms that we use to control our environments, they’re poorly suited for APIs. We have to have controls and technologies in place and skilled teams that can really hone in on those controls that are unique to the API.”
Mattson spoke with theCUBE industry analyst John Furrier at the “Cybersecurity — Detect and Protect Against Threats” event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the novel security approaches for APIs that have become imperative given the new threat landscape. (* Disclosure below.)
New approaches, skills and resources are required
APIs have assumed a much larger role, having made the jump from edge use-case utility to crown jewel asset. Thus, as an organization’s reliance on it increases, it must secure APIs as a focal point within its development infrastructures, according to Mattson.
“We’ve taken a new look at the API, looking at it from a full life cycle perspective,” he explained. “It isn’t news that APIs are a software asset that needs to be tested for security, vulnerabilities and security testing prior to moving into production. But the reality is the API security exposures that are hitting the news almost every day, a lot of those things have to do with things like runtime errors and misconfigurations or changes made on the fly, because APIs are changed very rapidly.”
Not only has Noname Security itself adopted a holistic, life-cycle approach to API security, but it’s the only way to effectively and robustly safeguard them from extraneous attacks in the long run, according to Mattson.
“In order for us to counter API risks, we have to look at the full life cycle from the moment the developer begins coding at the source code level, through the testing gates and to the operational configuration,” he said.
Why securing APIs is harder now
The reason why securing APIs is more pertinent now than ever before has a lot to do with their changing uses being distinct from the early days, according to Mattson.
“With the APIs that we had 8, 10 years ago, most of those were internally facing APIs,” he explained. “And so, there were a lot of elements of the API design that we would not have put in place if we had intended that to be public facing. We get away with a little bit of sloppy hygiene when it’s internal to the network, but now that we’re exposing those APIs and we’re publishing APIs to the world, there’s a degree of precision required. The stakes are just much higher.”
Another reason for today’s increased API vulnerability lies with the enterprise’s heavy reliance on them at the infrastructure layer, according to Mattson.
“You think about AWS, for example; most of the workloads in the modern cloud, they communicate and talk via API,” he said. “And so even if they’re internally facing APIs, misconfigurations can occur and they could be public facing or they could be compromised. We want to look at all of the facets of APIs because now there’s so much at stake with getting API security right.”
Additionally, the perimeter of preemptively securing APIs has widened far beyond just looking at the source code for potential issues, Mattson added.
“IBM’s research survey last year estimated that 60% of all API breaches are due to misconfiguration, not to source code design. And so that’s really where we have to marry the two of the runtime protection configuration management and source code testing and design,” he said.
Thus, keeping these crown jewel assets as secure as possible should involve steps like discovery, footprint analyses, observability and inventory, Mattson concluded.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the “Cybersecurity — Detect and Protect Against Threats” event:
(* Disclosure: Noname Security sponsored this segment of theCUBE. Neither Noname Security nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)