Co-authored by Raul Salagean
As more enterprises rely on the disparate data connections and scale of web applications and connected apps, application programming interface (API) security has become essential. Last year, adversaries started focusing more on APIs, and attacks grew more than 400%. Your enterprise must take a resilient approach to secure these increasingly valuable services.
Developers aren’t security experts
Today, most enterprises practice DevSecOps, which merges development, security, and operations. It serves as the backbone of the software supply chain.
However, these same enterprises believe that API security is the sole responsibility of developers and assume that they know all the tactics.
Organizations treat application security in the API development lifecycle as a one-time task. And testing often occurs when the APIs are already in production, as part of a red-blue team activity or penetration testing output.
API DevSec and Runtime SecOps must work together
At the heart of DevSecOps lies the interoperability between API DevSec and Runtime SecOps. API DevSec underpins the developmental phase, emphasizing the need for integrated security, while Runtime SecOps handles security during the API runtime phase. This comprehensive approach ensures security is not an afterthought but an intrinsic part of the entire API development process.
For your organization to achieve maturity, it’s essential to automate ongoing API maintenance. You need a solution or framework that reduces the risk surface and enhances the existing model, enabling your application security team to detect and remediate threats and flaws proactively.
The solution behind the solution
In the API DevSec phase, application security testing takes center stage. Various methodologies such as static and dynamic application security testing (SAST, DAST) shield APIs against potential threats. In Runtime SecOps, API security is the focal point, building upon the secure foundation established during the development phase. API DevSec and Runtime SecOps fortify your security mechanism and provide an enduring, robust layer of protection for APIs and their connected services.
This graphic illustrates everything you need to do during the API DevSec and Runtime SecOps phases.
Keep a list
Throughout both phases, update your application inventory and connected APIs that are legacy, current, shadow, and zombie. This activity includes matching and filling the gaps between new and existing APIs from development and operations teams. Make sure the CMDB is up to date, along with any ghosted and hidden endpoints of APIs you’ve discovered.
API DevSec activities:
Discover enterprise-wide APIs
API discovery is the most critical aspect of a strong API security posture because you can’t protect what you can’t see. APIs proliferate across the entire organization, driving seamless data communication to improve operational efficiencies, customer experiences, and business growth. This phase ensures that each API is automatically discovered and properly documented. API discovery is possible with:
- Proper API definition.
- Programming APIs using developer directories.
- Registered APIs on an API gateway or platform.
You can also use a manual approach to discover APIs that are not part of the above bullets.
Assess risks for in-flight APIs
It’s crucial for in-development APIs—such as new microservices, extended APIs, new features, or new integrations—to be secure by assessing the code quality, configurations, and environment defaults. SAST for APIs ensures that any microservices, serverless functions, or services that are being developed or enhanced are secure. Enterprises can start with OWASP’s API top 10 vulnerabilities as a starting point for assessment and then add coverage for more vulnerabilities.
Match service contracts between development and operations team
This is a transitional activity between DevSec and SecOps. It ensures that any undocumented API endpoints are not in production. Sometimes developers create hidden endpoints that help them quickly analyze and fix functionality issues, without realizing these endpoints could lead to data breaches.
Runtime SecOps activities:
Assess risks for APIs moving to production
Runtime analysis helps ensure that any business flow of interconnected APIs or standalone APIs are not vulnerable and do not have any data leakage. It also helps developers monitor for vulnerabilities throughout the lifecycle so they can remediate issues in time and make fixes early.
The API technology landscape is getting more complex with the addition of GraphQL and gRPC, which means security testing is becoming more exhaustive. Hence, the runtime security assessment of APIs becomes more crucial. Of course, enterprises can start with OWASP’s API top 10 vulnerabilities as a starting point and then add coverage for more vulnerabilities.
Protect APIs that are in production
APIs are complex to analyze. So, blocking runtime API threats requires an understanding of the context of operations for each API, including access, usage, and behavior. Fortunately, automated AI and ML-based monitoring can conduct real-time traffic analysis and provide contextual insights into data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.
Use Fortify as your API security solution
OpenText Fortify is the perfect tool to help you execute each of these activities during API security phases:
- Automatically discover new and shadow API endpoints during testing and identify the breadth of endpoints with OpenAPI, Swagger, OData, or WSDL schemas.
- Gain support for virtually all types of bearer tokens and authentication implementations to safeguard any API.
- Rely on ever-expanding coverage of API-specific vulnerabilities, affecting areas such as bearer tokens or GraphQL introSaspection.
Scale API testing with enterprise-grade orchestration delivered via SaaS, hosted, or off-cloud.
It’s time for more resilient APIs
Prioritizing API security within supply chain protection is paramount. It’s not just a security problem—it’s also a critical business issue. For 59% of enterprises, API security concerns have led to delayed rollouts.
In the context of DevSecOps and software supply chain security, API security isn't merely an optional feature. It's a necessary component you should integrate into the overall process. Fortify delivers comprehensive API security for any application, throughout the entire software development lifecycle.
Key resources
For more information on how OpenText Cybersecurity addresses comprehensive API discovery and testing for any application, visit our website and read our latest whitepaper. You can also check out our API discovery demo video.
For more information on how Eviden Managed Security Services (MSS) enhance cybersecurity with 24/7 threat monitoring, detection, and response, explore our website and check out our cybersecurity tech radar, which analyzes 150+ cybersecurity technologies, including application security, for a stronger security posture.
Authors:
Raul Salagean, Global Portfolio Manager, Cybersecurity, Eviden
Rohit Baryha, Solution Principal, Application Security, OpenText Cybersecurity