By Doug Dooley, COO, Data Theorem
The short-lived and dynamic nature of microservices that power modern applications makes traditional security practices – much of which have been manual – ineffective. Instead, organizations must adopt modern security practices and automation to secure application programming interfaces (APIs) with necessary techniques, catch security incidents before they become critical, and alert appropriate engineers in as close to real-time as possible.
Many companies are overwhelmed by how many security threats are looming and worry their already overworked team of engineers won’t be able to handle API security on top of meeting the demands of customers and the organization. An API security framework starts with three fundamental parts to help — creating security policies, enforcing policies, and managing risk.
Just as DevOps was created to remove the barriers between developers and operations folks, DevSecOps exists as a reminder that security is an essential part of DevOps and should be injected into key phases of the software development life cycle (SDLC). DevSecOps processes improve security and enable teams to rapidly iterate and constantly improve their systems.
Following this model, here are 10 Tips organizations can take to secure their APIs:
Migrating to the cloud: The cloud provides endless opportunities for growth, often through APIs. The cloud-driven API economy provides more opportunities for security vulnerabilities — make APIs a critical piece of the system to secure.
Securing APIs: Authentication, authorization, encryption, availability, and auditing are the pillars of security. They should be applied to all publicly facing APIs that could lead to data exposure on the open Internet.
Adopting DevOps: DevOps is a methodology intended to create high-velocity teams that emphasize collaboration, develop a learning culture, and share ownership. Securing APIs isn’t an overnight process, and the DevOps principle of continuous improvement is something critical to a team’s success in securing their applications.
Shifting security left: DevSecOps merges security with the fundamentals of DevOps and seeks to move security left in the software development life cycle, meaning test and fix security early and often.
Diving into security threats: APIs face nearly endless security threats. Be sure to shield and validate API parameters, encrypt data in transit, authenticate and authorize users, remove identifying information from URLs, and utilize modern TLS cryptography.
Moving beyond tradition: Traditional API gateways and web application firewalls (WAFs) are useful, but offer limited security defense against sophisticated attacks on distributed systems. Shadow APIs are a new class of assets that are being used by applications and services, but by their nature they lack any security policy oversight, especially those Shadow APIs built in the cloud.
Authenticating users: Always confirm users are who they appear to be through authentication. Then ensure those users have authorization to access specific data. Authentication without authorization leaves business open to security threats.
Securing CI/CD: Initiate security checks at every stage of the CI/CD release pipeline. If a developer checks code in a new environment or releases it to a new environment, confirm that the code and tools are secure.
Responding to incidents: Automation and telemetry help catch security incidents as they’re occurring and respond appropriately. Create playbooks to enable engineers to respond to incidents. Automating playbooks can lead to auto-remediation for critical areas of APIs and applications.
RESTing on HTTP: Make sure all APIs — GraphQL, REST, SOAP — utilize the standardized HTTP methods of GET, POST, PUT, and DELETE.
Protecting APIs with automation creates more secure systems and enables teams to validate their API security at every stage of the process. Organizations should integrate security tools for the CI/CD pipelines, mobile apps, and API security. Look for tools that integrate well with the environment, infrastructure, and other management systems.
Plenty of third-party vendor tools help manage API security challenges. Choose tools that work well with the current technology stack and infrastructure choices, address the security issues your organization is most concerned about, and have a user interface that’s comfortable for engineers. Continuous discovery, automated analysis, and runtime active protection of APIs are also critical capabilities the best API security tools offer today.
Being 100 percent secure is impossible. We face too many “unknown unknowns,” constant changes to systems, and ever evolving advanced threats to be able to harden ourselves to every possible exposure. Instead, we need to focus on the most critical aspects of the system, including customer data, regulation and compliance requirements, and the services that supply business with the most revenue.