API security is constantly in the news. It seems as though every week companies are making headlines for all the wrong reasons. Last week, a Peloton API exposed rider information. The week prior, an Experian API exposed the credit scores of millions of Americans.
To truly address API security concerns, it’s critical to understand the context behind the rapid adoption of APIs, the types of API security vulnerabilities, and the strategic approach to resolving API security at scale.
First let’s understand why API security is such a hot topic right now.
API Security: Why Now?
Enterprises have been using APIs for decades, but there are several reasons why API security issues are top-of-mind:
Enterprises are more dependent on APIs than ever before. Every application and service is only as fast and secure as the APIs that power them. Companies have a lot of APIs, and each API can be exposed to hundreds or thousands of other APIs and services. Business critical and private information is shared across APIs, so when APIs aren’t secure businesses and their customers can be negatively impacted.
API usage pre-dates API security standards and best practices. Most companies started using APIs long before they had AppSec teams, used API Gateways, and followed the best practices outlined in the OWASP API Security Top 10 (came out in November, 2019). In other words, APIs can come with technical debt. And if your business continues to build on top of legacy APIs with unaddressed vulnerabilities or misconfigurations, it’s only a matter of time before fate rears its ugly head.
Adoption of cloud technologies accelerates the need for APIs. A huge benefit of moving to the cloud is the speed at which technology can be deployed. This has accelerated the need to move data in and out of the physical data center, to the cloud, and between cloud environments — all via APIs. The speed at which virtual devices (like load balancers, gateways, firewalls, and routers) operating systems, and applications, containers are deployed creates yet another set of challenges for security teams. The dynamic nature of the cloud environment makes it possible for a new device to expose existing, secured APIs to unsecured paths to the internet.
Exponential growth of APIs outpaces traditional means to manage and secure. This is probably the most significant point. Most large enterprises have thousands of APIs that they know about, and many more that they don’t — these are referred to as shadow or rogue APIs. Existing infrastructure, like API Gateways and WAFs, don’t solve the shadow API problem. And businesses continue to deploy APIs with solutions that don’t fully address all modern threats and vulnerabilities.
Types of API Security Threats and Vulnerabilities
When we hear the phrase “API Security”, it’s easy to over-simplify the problem and reduce it to external threats. But the reality is that attackers are only one of the threat vectors you need to consider when securing your APIs. In fact, as of this writing, to the best of our knowledge, neither the Peloton nor Experian API issues were linked to an external cyber attack.
Here are some of the other API security vulnerabilities you need to consider:
Oops! Sometimes mistakes are made. Whether it be a shadow API created to fix a critical customer issue overnight or a misconfigured policy on an API that didn’t require authentication, human error in the API lifecycle can create significant security risks.
Oof! Some things are out of your direct control, like outages or issues with partner integrations or vendor solutions. Mishaps can create a domino effect of unintended consequences. Often, there isn’t a person to point the finger at, but it’s just as critical to resolve mishaps that affect your APIs.
Ouch! There are bad actors out there who are intentionally looking to attack your APIs. Cyber attackers are particularly nefarious because they are aware of how common mistakes and mishaps are, and are constantly probing to discover and exploit them.
Holistic Approach to API Security
API security is complex. And simple solutions often only address a fraction of your API security challenges. Even if you are trying to address API mistakes, mishaps, and mischief, each of these have nuance and complexity to them as well. A holistic security strategy is required to eliminate API security risks. We call it D.A.R.T.
D.A.R.T. API Security Strategy
D.A.R.T. is Noname’s comprehensive API security strategy and stands for Discover, Analyze, Remediate, and Test. D.A.R.T. serves as both a lens to view API security challenges as well as a litmus test to measure the effectiveness of API security efforts and solutions. The D.A.R.T. API security strategy is only as strong as its weakest link so it is critical to excel across each area.
Discover refers to the ability to find and inventory all APIs. Enterprises manage thousands of APIs, and many of them are not routed through a proxy (e.g. API Gateway or WAF). APIs not routed through a gateway or WAF are not monitored, rarely audited, and are most vulnerable to mistakes, mishaps, and mischief. There are a few ways to discover a complete inventory of APIs, each with pros and cons. However, it’s most important to create a complete API inventory, otherwise you remain vulnerable.
Analyze refers to the ability to detect API anomalies, changes, and misconfigurations. It’s important for enterprises to analyze API access, usage, and behavior. Leveraging AI and ML for automated behavior analysis helps to identify issues in real-time. When considering your existing detection capabilities or those of an API security vendor, you must remember you will only be as effective as your ability to discover a complete inventory of APIs — after all, you can’t analyze what you can’t see.
Remediate refers to the ability to resolve detected anomalies and misconfigurations. There are several approaches to resolving API security issues, including blocking API attacks in real-time and integrating with existing remediation workflows and security infrastructure. It’s most important that each of your teams get the information and alerts they need to react immediately. Again, your ability to remediate is only as effective as your ability to discover and analyze APIs.
Test refers to actively testing your APIs to validate integrity before and after they are deployed to production. Many of the API security issues you’ve seen in the news could have been avoided entirely if thorough testing had been applied. In other words, you need to analyze your APIs and remediate issues while in development. This allows you to deploy APIs at the speed of your business with complete confidence and trust.
Noname Security modeled the Noname API Security Platform after the D.A.R.T. API Security Strategy and uniquely achieves these goals with a solution that sits completely out-of-band. That means you can Discover, Analyze, Remediate, and Test all your APIs without introducing new complexity or risk. No agents, no network modifications, no friction.
To learn more about the Noname API Security Platform and our approach to API security, please schedule a demoo.