Establishing consistency in security protocols is a challenge for any organization developing and implementing an application programming interface (API). Too often the security of an API becomes an impediment to bringing it to market in a timely matter. Judicious use of automation, however, can mitigate development delays and, at the same time facilitate development. That was the focus of a panel of experts in November at the third executive education program from Imvision.
Moderator Michale Farnham, CTO at Set Solutions, introduced the session with a survey showing 64 per cent of existing controls are manual. Security executives from companies with 5000 employees or more said organizations find manual controls more difficult the larger they are. They also agreed that It becomes more problematic when security personnel are scarce. Farnham said automation takes on low-level development to allow developers to deal with challenging areas that are just as vulnerable.
Tishya Poteet, head of API lifecycle management at Wells Fargo, said her organization was massive with 24,000 engineers supporting 5,000 applications and 10s of thousands of APIs. “The goal of our efforts is to enable and automate security deeper into the development phases.”
Poteet said considering security upfront is crucial in the API first design. “Understand why we’re doing something. Who is it for? What is the value that it delivers and build that security end up front.” Wells Fargo looks for tools that automate bids and facilitate business and technology collaboration so that the right people are aware of what’s going on at any given point in a timely manner.
“We’re automating our API product intake process, allowing user to propose new APIs and define why,” she added. “We’ve enabled easy API discovery via a marketplace which allows for self-service API consumption and automated certificate provisioning.”In the Q&A she said stakeholders can see what APIs are available for reuse based upon their data needs. The tools can enforce standards and governance, incorporate approved patterns and security policies, and allow developers to just focus on what they do best.
“The auto-generation of specification, API proxy and auto-deployment saves a significant amount of time because developers don’t need know how to generate a how to use and configure various CI/CD toolsets.”
The bulk of all data
Ravi Krishnan MuthuKrishnan, senior director of product security for Babylon Health, said APIs represent the bulk of data sources. “You have to protect how the data gets accessed and how people get authorized to get that data,” he explained. “The access surface is wider. It’s not just one gate call. It’s going to be multiple different calls so that access surface is really, really big.”
As API attacks increased API security has become foundational development organizations in terms of delivering abstract knowledge, he said.
“If you look at the bold attacks, there are a number of different attack vectors that are fundamentally different from what you would see in a traditional web application. For example, rate limiting is something you wouldn’t really worry about when you’re building a monolithic application. But as you build APIs, that becomes key.”
He explained that an internal API can become popular with the development team. Over a period of time, the word goes out that there is an API that makes a developer’s job easier. Then a product manager sees its value in the external world and, just like that it becomes commercialized. That’s when the security issues missed at the beginning of the API’s development become obvious, but at the end of the development cycle. He said it is best to discover the problems earlier.
On the issue of response to attacks, Moshe Zioni, VP Security Research for Apiiro, said securing APIs is almost impossible because of the sheer volume of them in a given system. Documenting incidents and responses crucial for continued protection is crucial along with logging and monitoring. “In website design, we have many ways to actively fingerprint attackers,” he said. “We have different ways to convey which attackers we are facing and what kind of attack is going on.” But not so much in API security.
”We are devising several approaches for active fingerprinting over API.” he concluded.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.