An application programming interface (API) allows software applications to interact with others without the user knowing it’s happening. A simple financial transaction involves APIs in your phone, the server your phone is connected to, the servers of the bank and the vendor, the mobile phone network, the wifi connection and maybe a dozen more. APIs simplify our lives but they also make us more vulnerable to cybercrime.
Euroconsumers, a consumer group in the EU, ran a project called The Hackable Home. The project demonstrated security is not a priority for API developers. While legislatures look at laws regulating all manner of digital connections, it will be possibly years before they are enacted. Kicking off an Imvision seminar series, Sandy Carielli, Forrester Research senior analyst said the industry needs to step up with collaboration between development operations, security, and adoption of effective tools.
“When we talk about application security, we need to start with the perspective of the developer,” she stated. If security professionals understand developers priorities, the risk is introducing processes and controls and tools that impede the flow so they don’t get adopted. And we introduce a lot of friction into the process. And we don’t actually solve the problem.
The primary goal of developers is getting products to market, she explained. According to Forrester’s own research, 23% of development leaders said a priority in the next year was to get products to market faster. But almost equal to that priority was the increasing use of DevOps tools and practices.
“This is an opportunity for us from a security standpoint. We can introduce security tooling that fits into that development operations (DevOps) environments creating a development security experience that still allows development teams to get to where they need, while organically including security in that process.”
Data breaches have multiple causes, but in the past few years applications have become the most common attack vector, she stated. Forrester asked organizations how the (successful) attacks happened against them. Thirty-five per cent said software vulnerabilities are the top attack vector. Web application exploits were second.
”That really speaks to how important it is for us to make sure that we are enabling developers to implement application security.”
The good news, she said, was people are realizing this. “Application security is the top priority for security leaders in terms of tactical priorities over the next year. This is the second year it has been at the top.”
Application security is degrading
That’s the good news. The bad news is, “Application security isn’t what it used to be. Here’s where we talk about that progression from application security to API security. For 20 years when we thought of applications, they are large, monolithic, pieces of code. We had a pretty good idea of where they sat, how they were controlled, and who controlled them. But there were still a lot of challenges in securing them.”
Carielli said the number of APIs in use, in development and still needed is out of control. “API’s are much more distributed than these than applications were. When we talk to developers, 23% of them said that firms have public API’s. And 22% said that their firms had partner APIs or b2b APIs. The amount of data APIs that are exposing is just exploding.”
“More than a third of respondents to our surveys said they are exposing data from over half of their applications. That’s why APIs have become a significant target for attackers.“
APIs are critical for business success. They enable new business models, new ways to engage with customers, partners, and new revenue streams. So the solution, she said isn’t to shut down APIs. “The solution is to understand the context, understand the scale and the spread of them, and implement the right controls in order to secure them and to collaborate cross-functionally.”
Challenges of API security
Some of the challenges with API security are authentication, authorization, rate limiting, and not being able to manage the data. She pointed out two examples in the same industry. “Peloton and Echelon make competing brands of exercise bikes that have an API component and have a video component and interaction with the customer that offer a great customer experience. Both of those had leaky API’s that exposed customer account data. These API’s didn’t have the appropriate authorizations in place, and then someone is able to discover those and request access to data that they shouldn’t have.
“We’re also seeing along with that sometimes attempts to validate data client-side where it’s not sufficient rather than server-side where it’s going to do more good. And that coupled with the poor authorization is leading to these additional API data leak.”
This is where the collaboration comes in. She said DevOps teams want better security but not at the cost of efficiency. Security teams need to know where the APIs are, who’s managing them, what data they are handling, and where to put appropriate controls. “The role of security professionals is to clear the path for them implement and introduce the security processes and controls that are going to allow them to protect their API, and get new product and feature in customers’ hands because that’s their goal.”
Carielli said raising up a security champion from within the DevOps team is the most efficient path. They have to be a developer first but trained in basic API security principals. That champion can then raise questions during the development process rather than be impediments to project completion. This creates a more collaborative process.
The first step in developing security champions is getting management buy-in with budget allocations. “A little bit of funding early on is going to make that much a more formal official program that you can measure and improve over time.
The next step is identifying the champion. “Some managers may someone with free time and say, ‘Congratulations, you are a security champion.’ He shows up at a meeting doesn’t really know what’s going on, isn’t really interested in it, and it kind of fades out.” Carelli said that’s the wrong approach.
Instead, she suggests having a team event introducing security principals and see who shows an interest or aptitude. “Maybe roll back to back to an unpatched version and demonstrate how it could have been attacked. Invariably, you’re gonna see a couple of folks in the audience really dig into this and raise their hands and say, I want to be involved in that. That’s a really effective way of finding champions that are not only available but interested and committed and willing to invest more at the time.”
Carielli said that Forrester is seeing moves in that direction. ”Security pros must enable the teams and make sure they are not introducing friction. Allow them to do their job, and they will allow us to do ours.”