If you haven't read the news, Experian API exposed credit scores of most Americans and Peloton API shared rider’s private data.
The frequency and severity of these API security issues continue to grow, as does the impact to the business as well as to their customers. And in the cases of Experian and Peloton, there may not even have been malicious attackers — a simple misconfiguration of an API could make headlines. The bottom line is... time is up. Businesses need to do more to secure their APIs.
Let's start with the basics. APIs are the de-facto backend of any web app, mobile app, or B2B collaboration developed in the last seven years. The most popular user journeys and the most critical pipelines in your organization are most likely powered by APIs.
There is no doubt in my mind APIs are already the largest attack surface by an order of magnitude in enterprise organizations. The writing on the wall says we're just a few months away from API breaches being exploited with personal information of millions, if not billions, leaking out.
The fact that you have strong standards does not mean you're protected from API breaches. Relying on developers to not make mistakes because of standards and compliance is not a wise approach to security. In today's supercharged development velocity, it'll be near impossible to not make mistakes in development and deployment of APIs. Some of those mistakes will result in security vulnerabilities, especially when security takes a back seat to business goals.
An API gateway does not protect you from API breaches, just like a load balancer doesn't. Moreover, our testing in customer environments consistently finds 30% of APIs are not routed through a gateway. These APIs are not there because of bad intentions, they were just the right tool at the time to solve an immediate business challenge.
So let's take this big API problem and break it down into manageable pieces. We at Noname Security found that almost all API security issues can fall into one of three categories, APIs with in-code or in-design vulnerabilities, APIs that are misconfigured or misrouted, and APIs that are interacting with sensitive information that shouldn't.
By now I hope you're convinced you need a strategy.
D.A.R.T Strategy for API Security
It’s important to have an up-to-date inventory of all your APIs, the old and the new. For every API you need to know what type of sensitive data it is interacting with, who the owner is, how it is routed (internally or externally), what is the associated physical resource (instance id, server name etc.), and which app or business-unit it belongs to.
YOU NEED ALL FIVE, anything else will make you miserable, good luck finding out what is "/tbp/transact_v1" without the rest of it.
Noname's Discovery includes all of the above while having an out of band deployment with no agents, no side-cars, and no network modifications. Noname supports all API technologies, REST, SOAP, GraphQL, gRPC, and XML-RPC.
Data governance is the ability to control what type of sensitive data an app or business-unit is exposing via their APIs. The Black Friday discount campaign should not be sending out credit card information.
Visual User Journey & API Ergonomics
If the user has to go through ten API endpoints to get to their destination (whether it's information or an action they're after), it's not an ergonomic API environment. You're producing frustrated users, a large attack surface, and a cumbersome system to maintain. To understand the importance of API ergonomics think about Stripe compared to any other payment processor.
Noname's unique visual user journey provides detailed visualization to improve dev understanding of their apps, finding anomalous journeys, and improving API ergonomics.
Remember that debug API that your colleague brought up to print out the mobile app database? Neither does he, but turns out it's wide open to the internet and if an adversary finds it, all hell will break loose.
You need to know about internal APIs that are accidently open to the internet. You need to know about APIs with no rate limit or without authentication validation. Overall, there are more than a hundred different cases of misconfigurations you should look for and remediate.
Noname verifies more than a hundred different configuration policies across your hybrid environment and architecture. Remediation instructions are simple, clear and actionable.
You've heard about this one before, it's practically all you find when you look for API security. AI/ML anomaly detection, the cure to all your problems. So no, it isn't a silver bullet. AI anomaly detection for APIs is incredibly difficult and is only one piece of your API security strategy. Moreover, because the anomaly detection has to be online, only certain models and techniques can be used.
It's necessary because many vulnerabilities can be found using anomaly detection, however, if it's too noisy or inaccurate it becomes useless.
To understand if the solution you're examining has actual AI at all, have a thorough discussion about the models, dig deep, and ask exactly how it works.
We will go over Noname's unique approach to anomaly detection when you Schedule a Demo.
When a vulnerability or a misconfiguration has been reported via any detection mechanism, you need to act on it quickly. It's effective if vulnerabilities are aggregated and can be handled through a single workflow.
At Noname we've invested heavily into noise-reduction and alert only on actual problems. When an alert shows up, it's the one that requires attention.
With other solutions, in the red sea of false alerts, the one that actually requires your attention is not going to get it.
It's important to create active testing suites on APIs and apps to allow early discovery of vulnerabilities before they're deployed to production. In addition, immediate feedback to developers on potential security issues improves their future code safety.
Noname active testing suites allow early discovery of vulnerabilities in apps and APIs before they're deployed to production.
If API security is important to you and your business, I’d encourage you to get a demo of the Noname API Security Platform. You’ll never look at APIs the same way again!