Understanding the fabric of your API deployment
Over the past year, Noname Security has been evangelizing this idea of the API Estate. Today, I want to share more details of what we mean when we say, “API Estate.”
One definition of estate I found is, “The degree, quantity, nature, and extent of interest that a person has in real and personal property”. When we talk about the API Estate, we are referring to the degree, quantity, nature, and extent of interest that APIs have on the computing environment. With over 80% of all HTTP traffic being APIs, the estate has become quite massive.
Now, you must consider the spectrum of API security tools today — you have to think about API gateways, load balancers, web application firewalls, authentication systems, testing tools, code analysis, and traffic analysis tools. Each of these tools can play a part in the security of APIs, but most of them have critical functionality that has little or nothing to do with API security (as their primary use was designed well before the proliferation of APIs). For example, load balancers can route traffic that has no relevance to APIs. And API gateways speed the implementation and facilitate ongoing API management. These are all important functions (and likely the primary justification for the purchase of these tools) but completely separate from any security requirements. Security is not the primary focus of these vendors.
On the other hand, the Noname API Security Platform considers and respects the complete API estate. Unlike any other API security product, the Noname API Security Platform integrates with and analyzes everything that impacts the security of APIs, including the table below.
Elements of the API Estate:
|API Gateways||Web Application Firewalls||Load Balancers|
|API Network Traffic||Code||Routing|
|Sensitive Data Types||Microservices||Encryption|
Unlike other vendors, the Noname API Security Platform integrates with the entire API estate. In the bubble chart below, you can see my graphical representation of the API estate. It is complex and is likely to get even more so in the coming years. Still, this is a great place to start as you consider how to approach your API security strategy.
A holistic API security strategy like D.A.R.T. (Discover, Analyze, Remediate, and Test) considers every component of your API estate. To focus solely on specific technologies or security processes such as network monitoring, API gateways, or testing, won’t fill a number of the gaps in your API security fabric and could lead to the compromise of customer records, sensitive data, proprietary information, or even unsafe conditions (considering how many IoT devices are controlled by APIs). When evaluating the security of the API estate, it is extremely important to consider all of its components and all of the principles of your API security strategy.
To get more insights on D.A.R.T. download the eBook here.