API Security: Providing A Common Thread Across Agency Environments

The deadline is approaching for U.S. government agencies to adhere to a Federal zero trust architecture (ZTA) strategy, as outlined in the 2022 Office of Budget Management (OMB) memorandum on Zero Trust cybersecurity principles. By the end of fiscal year 2024, agencies will be required to meet specific cybersecurity standards and objectives, according to the OMB memorandum (M-22-09).

As that deadline nears, I wanted to thread some thoughts together regarding Application Programming Interfaces (APIs) because they are everywhere and should be addressed throughout the government.

Federal agencies are increasingly relying on APIs to streamline operations, enhance efficiency, and facilitate communication between different systems.  As the usage of APIs becomes ubiquitous in the federal sector, the need for robust API security measures becomes paramount. Let’s take a deeper dive.

M-22-09 mandates that agencies must operate dedicated application security testing programs, a key component of a comprehensive strategy to enhance API security.  Application security testing involves the systematic evaluation of software applications, including APIs, to identify vulnerabilities and weaknesses that malicious actors can exploit.  This proactive approach allows agencies to detect and remediate security issues before they can be leveraged for cyberattacks.  

Furthermore, application security testing is aligned with industry regulations and compliance standards, such as the Federal Risk and Authorization Management Program (FedRAMP) and the National Institute of Standards and Technology (NIST) guidelines – both of which emphasize the importance of regular security assessments. By adhering to these standards, federal agencies can not only enhance their security posture, but also demonstrate their own compliance with regulatory requirements.  

M-22-09 further mandates that agencies must utilize high-quality firms specializing in application security for independent third-party evaluation, which includes APIs.  The involvement of external experts brings a fresh and objective viewpoint for uncovering potential blind spots that may have been overlooked during internal assessments.

Federal agencies operate diverse and interconnected IT ecosystems that include a multitude of applications and APIs. The complexity of these environments makes them susceptible to a wide range of security vulnerabilities. By implementing dedicated testing programs, agencies can systematically assess the security posture of their applications and APIs, addressing vulnerabilities at different layers of the technology stack.  

But testing is not enough. For federal agencies operating in today’s increasingly interconnected and digital environment, robust API security is of paramount importance. Agencies should look to three essential components for securing APIs:

• Providing visibility into agencies’ ecosystems.
• Continuously monitoring for misuse and vulnerabilities.
• Providing alerts and mitigation guidance.

As described in M-22-09, the OMB’s requirements also include recommendations for using HTTPS.

OMB Memorandum M-15-13 and DHS Binding Operational Directive (BOD) 18-01 currently require agencies to use HTTPS, the encrypted form of HTTP, across all internet-accessible web services and APIs.

(page 14)

HTTPS is the secure version of HTTP, providing encryption and authentication to ensure the confidentiality and integrity of data exchanged between clients and servers. This mandate serves as a safeguard against cyber threats such as man-in-the-middle attacks, data interception, and unauthorized access. By enforcing HTTPS, agencies create a secure communication channel that protects data in transit from eavesdropping and tampering.  

This is particularly crucial in the context of APIs, which often transmit sensitive data between different components of a system. However, HTTPS does not protect against business logic vulnerabilities used by malicious actors to target APIs. Nor does the network hardware, traditionally used to guard the perimeter protect against those same API business logic vulnerabilities.

Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Defense Information Systems Agency (DISA) created zero trust models – slightly different from each other, but generally in alignment. Our Solution Architect team  analyzed both models and mapped Noname Security’s API security platform to the relevant pillars, over a year ago. Looking at all the places Noname Security intersects with both zero trust models, our work validates that a strong API security platform can have a meaningful impact on overall cybersecurity. API security is not merely a potential compliance requirement; it is a strategic imperative for federal agencies in the digital age.

Speaking of compliance, the Federal Information Technology Acquisition Reform Act (FITARA) has helped strengthen the management of government information technology. As part of the act, agencies are measured on performance in several broad categories to include cybersecurity related to the Federal Information Security Modernization Act (FISMA). The FITARA scorecard at the end of fiscal year 2023 indicated that the FISMA portion was generally the lowest (except for scores related to moving to new contract vehicles). As we approach the end of fiscal year 2024 – the deadline for the new requirements identified in M-22-09 – I wonder how agencies will fare on their FISMA score, given the growing recognition of API vulnerabilities.  As federal agencies continue to leverage APIs to enhance their capabilities, a proactive and multi-faceted approach to API security is essential. By adhering to these principles and best practices, agencies can not only safeguard sensitive information, but also build a resilient and secure foundation for their digital operations. Noname Security provides a complete lifecycle API security platform, from development testing to visibility, monitoring, and mitigation.  Noname is the industry leader and the only platform with an Authority to Operate in government space. For agencies that want to improve security throughout their zero trust  roadmap and positively impact their FISMA efforts, look to the dedicated team at Noname Security for help. You’ll be glad you did.