API security is constantly in the news. It seems as though every week companies are making headlines for all the wrong reasons. Last week, a Peloton API exposed rider information. The week prior, an Experian API exposed the credit scores of millions of Americans.
To truly address API security concerns, it’s critical to understand the context behind the rapid adoption of APIs, the types of API security vulnerabilities, and the strategic approach to resolving API security at scale.
First let’s understand why API security is such a hot topic right now.
Enterprises have been using APIs for decades, but there are several reasons why API security issues are top-of-mind:
When we hear the phrase “API Security”, it’s easy to over-simplify the problem and reduce it to external threats. But the reality is that attackers are only one of the threat vectors you need to consider when securing your APIs. In fact, as of this writing, to the best of our knowledge, neither the Peloton nor Experian API issues were linked to an external cyber attack.
Here are some of the other API security vulnerabilities you need to consider:
Oops! Sometimes mistakes are made. Whether it be a shadow API created to fix a critical customer issue overnight or a misconfigured policy on an API that didn’t require authentication, human error in the API lifecycle can create significant security risks.
Oof! Some things are out of your direct control, like outages or issues with partner integrations or vendor solutions. Mishaps can create a domino effect of unintended consequences. Often, there isn’t a person to point the finger at, but it’s just as critical to resolve mishaps that affect your APIs.
Ouch! There are bad actors out there who are intentionally looking to attack your APIs. Cyber attackers are particularly nefarious because they are aware of how common mistakes and mishaps are, and are constantly probing to discover and exploit them.
API security is complex. And simple solutions often only address a fraction of your API security challenges. Even if you are trying to address API mistakes, mishaps, and mischief, each of these have nuance and complexity to them as well. A holistic security strategy is required to eliminate API security risks. We call it D.A.R.T.
D.A.R.T. is Noname’s comprehensive API security strategy and stands for Discover, Analyze, Remediate, and Test. D.A.R.T. serves as both a lens to view API security challenges as well as a litmus test to measure the effectiveness of API security efforts and solutions. The D.A.R.T. API security strategy is only as strong as its weakest link so it is critical to excel across each area.
Discover refers to the ability to find and inventory all APIs. Enterprises manage thousands of APIs, and many of them are not routed through a proxy (e.g. API Gateway or WAF). APIs not routed through a gateway or WAF are not monitored, rarely audited, and are most vulnerable to mistakes, mishaps, and mischief. There are a few ways to discover a complete inventory of APIs, each with pros and cons. However, it’s most important to create a complete API inventory, otherwise you remain vulnerable.
Analyze refers to the ability to detect API anomalies, changes, and misconfigurations. It’s important for enterprises to analyze API access, usage, and behavior. Leveraging AI and ML for automated behavior analysis helps to identify issues in real-time. When considering your existing detection capabilities or those of an API security vendor, you must remember you will only be as effective as your ability to discover a complete inventory of APIs — after all, you can’t analyze what you can’t see.
Remediate refers to the ability to resolve detected anomalies and misconfigurations. There are several approaches to resolving API security issues, including blocking API attacks in real-time and integrating with existing remediation workflows and security infrastructure. It’s most important that each of your teams get the information and alerts they need to react immediately. Again, your ability to remediate is only as effective as your ability to discover and analyze APIs.
Test refers to actively testing your APIs to validate integrity before and after they are deployed to production. Many of the API security issues you’ve seen in the news could have been avoided entirely if thorough testing had been applied. In other words, you need to analyze your APIs and remediate issues while in development. This allows you to deploy APIs at the speed of your business with complete confidence and trust.
Noname Security modeled the Noname API Security Platform after the D.A.R.T. API Security Strategy and uniquely achieves these goals with a solution that sits completely out-of-band. That means you can Discover, Analyze, Remediate, and Test all your APIs without introducing new complexity or risk. No agents, no network modifications, no friction.
To learn more about the Noname API Security Platform and our approach to API security, please schedule a demo.