API Security for DevSecOps

September 29, 2022

Matt Tesauro Distinguished Engineer

Post Featured Image

DevSecOps is a variant of DevOps that adds security to the software development workflow. Application Programming Interfaces (API) security needs to be part of DevSecOps. This article explores how DevSecOps works and the role that API security plays in making applications that result from DevSecOps as secure as possible.

What is DevSecOps?

To understand what DevSecOps is about, it’s first necessary to have a firm grasp on DevOps, the original paradigm on which DevSecOps piggybacks. DevOps refers to the combining of two previously separate processes, software development (Dev) and IT operations (Ops). Traditionally, developers wrote code and handed it off to IT ops for deployment into production. This worked fine in the era of waterfall-style development when it took months or even years to complete a new version of an application.

With the advent of agile development methodologies and continuous integration/continuous deployment (CI/CD) of code, the old Dev/Ops split was no longer viable. With agile and CI/CD, new code was being given to ops on a daily, if not hourly, basis to be released. 

The only way to get anything done without courting disaster was to unify the Dev and Ops workflows. The combined processes required a combined team. In DevOps, developers and operations people now collaborate easily on getting code out into production at a rapid clip. Not that this was a natural partnership. If anything, relationships between Dev and Ops teams tended to be strained, with a “throw it over the wall” mindset getting in the way of productivity. DevOps changed this dynamic, introducing a shared responsibility model. 

As cyber threats grew more serious, it made sense that security became part of the DevOps workflow. Thus, DevOps became DevSecOps. This was also the smoothing of what had sometimes been a strained relationship, with security acting as a “traffic cop” that decelerated the development process. DevSecOps represents a new way of working together. Security is now an enabler of faster—but secure—development cycles. 

Key Success Factors in DevSecOps

Achieving success in DevSecOps is not a simple proposition. DevOps involves the choreography of multiple teams and workflows, each in pursuit of its own goals. Getting the intricate orchestration of people and processes in DevSecOps to work requires a careful blend of tooling and processes. Technology has to support both sides meeting in the middle, making concessions on process. This includes leadership. 

In order to have success with DevSecOps, security has to adjust how they test to match the new CI/CD world. In turn, DevOps teams need to treat security issues with at least the same rigor as they treat functional issues. Indeed, less mature programs have security issues that grow old and die in the backlog. Success further requires a “shift left” strategy that places the security work at the earliest possible point in the DevOps workflow.

Securing APIs in DevSecOps Workflows

Securing APIs in DevSecOps requires API security testing during development and API monitoring once APIs are in production. API security testing is comparable to other forms of security testing in DevSecOps, but with some notable differences. For example, while static testing may be useful for discovering vulnerabilities in code, it is not effective at identifying all API vulnerabilities. 

Instead, API security testing for DevSecOps should focus on running “black box” type of tests using business logic. This approach reveals how APIs will actually work when the application is deployed. 

API security testing tools like Noname Active Testing can execute tests of this kind. It can detect vulnerabilities highlighted in the Open Web Application Security Project® (OWASP) API Top Ten security issues, e.g., Broken Object Level Authorization, Excessive Data Exposure, Lack of resources and Rate Limiting, Mass Assignment, and Security Misconfiguration. If these vulnerabilities are present and unmitigated, a malicious actor who attacks the API can gain unauthorized access to sensitive data. 

Noname Active Testing integrates into the CI/CD pipeline because of the highly configurable test suites it supports. It also enables a shift left style of testing with built-in integrations for multiple CI/CD systems. Between these two factors, the tool makes it possible to put the “Sec” into DevSecOps with regard to APIs. CI/CD integration is essential, as it enables the continuous, rapid API security testing needed to keep modern applications secure. 

API security for DevSecOps does not stop with development. The best practice is to continue the API security process into production. By monitoring APIs in production, the “Sec” part of DevSecOps can detect APIs that have slipped into a state of vulnerability, e.g., by being reconfigured or misconfigured by an admin in production. Once detected, the API vulnerability can be remediated as part of the DevSecOps workflow. 

Conclusion

DevSecOps can be challenging to implement. It requires a lot of people and processes to be well aligned so everyone and everything can move along at a brisk pace. API security has the potential to complicate DevSecOps and disrupt its smooth operation. However, API security testing is critical for the development of secure applications. To make API security work well with DevSecOps, it is necessary to use specialized API security testing and monitoring tools. 

To learn more about API security and the Noname API Security Platform, please schedule a demo.