The growth of application programming interfaces (APIs) is exploding. Today, smaller applications exchange information and data using APIs, leading to increased complexity, much of which is invisible to the user. Together with our partner Imvision, we’re continuing our series of articles on how to take charge of API security.
We last discussed the developer’s perspective on API security and how building a team improves the security of APIs. In this article, we consider making API security part of an overall cybersecurity strategy to work for a whole company. Imvision hosted a panel discussion with security experts from IBM, Deloitte Consulting, Aston Martin and the logistics company Maersk. The discussion made it clear that the API economy presents a challenge all of its own.
Gabriel Maties, Senior Solution Architect for Maersk, compared APIs to doors leading into your company and urged caution. He said enterprises need to limit what doors are open and to stand guard on each one of them. Maersk was hit by a major cyberattack a few years back. According to Maties, that changed the DNA of the company to look at everything they do from a security-first perspective.
Moe Shamim, Deputy CISO of US Consulting at Deloitte agreed that security needs to be the basis of every API management program. He suggested, “If you don’t have that base sorted out, you’re probably opening up more and more vulnerabilities”.
His approach is to look at the API lifecycle as a circle with four major phases: Plan, build, operate and retire. A common mistake is to neglect one of these phases. For example, incorrectly retiring APIs may leave outdated and unpatched holes, making it easy for attackers to penetrate your network, regardless of other security measures.
Tony Curcio, Director of Product Management at IBM, said that looking at three major roles in the API development process help for better coordination and delivery: the developer of the API , the product management, the actual API users. He emphasized that for each of these layers, security is fundamental and needs a holistic approach.
The session moderator, Robin Smith, Head of Cyber and Information Security at Aston Martin, wondered whether C-level executives understand this. He asked the panelists how to convince the board to give API security the required attention.
Itsik Mantin, Imvision’s security evangelist, suggested quantifying the financials in API security and shifting their mindset to a security-focused culture.
The other panelists were quick to agree. Gabriel Maties said the attack on Maersk made the company learn the hard way. Their strategy now is towards an approach he called adaptive threat detection. This involves sophisticated technology, including machine learning and behavioural analysis. The latter becomes necessary as attackers use the same technologies to adapt their attacks.
The panel offered suggestions about what to consider when designing API management and security. Maties said Maersk emphasizes Zero Trust, which is more of a norm now than it was a few years back. Moe Shamin agreed and also mentioned the need for a secure development lifecycle. Tony Curcio warned that API security is not to be taken lightly. He also pointed to the trend towards using containers in application development, which is still challenging for a lot of companies.
Specifically for API security, Itsik Mantin also brought another tool into the discussion: Threat modelling. The idea of threat modelling in this context looks at each API and evaluates and prioritizes applicable protection measures.
As a final thought, and one that not only the panel agreed on, but which should be the baseline in any cybersecurity strategy, Imvision urged companies to follow the five steps in the NIST framework: Identify, protect, detect, respond and recover.
To hear the entire discussion, follow this link.