Categories
Community

Taking a Proactive, Governance-Based Approach to API Security

Security breaches are among the greatest threats confronting enterprises today, and application programming interface (API) abuse is typically central to the attacks. For that reason, API governance is critical to the success of any digital business.

Security breaches are among the greatest threats confronting enterprises today, and application programming interface (API) abuse is typically central to the attacks. For that reason, API governance is critical to the success of any digital business.

Ensuring that governance results in a long-term stabilizing strategy requires following strategic API security, monitoring, and open cultural practices.

Common Errors

Just knowing when something is not right with a system or that a bug requires fixing isn’t enough knowledge to make informed decisions about security. What is required is a keen understanding of the health of a specific project throughout its entire life cycle. This includes knowing its current state, having proper visibility into the traffic running through apps and infrastructure, and recognizing error patterns – and being able to act upon any issues before they impact the customer experience.

When it comes to APIs Lifecycle and management, we’ve discussed it in great detail in this workshop recording that can be found here.

The problem with most enterprises in this regard is that they tend to be project- instead of product-driven; budgets and deadlines are tied to delivering features rather than holistically examining a product and its capabilities. This, coupled with the failure to see APIs as adding value, are why many brands have failed in their API journeys and digital transformation. They’ve simply lost sight of the return on investment (ROI) properly governed APIs can deliver.

As a result, these enterprises leave API security to the end of its life cycle when regression tests are run to determine whether it is working properly, declaring it “secure” if it passes a confined set of tests. It is a last-mile mindset that is behind the daily reports of personal healthcare data, payment information, and billing address breaches – and why API security must be everyone’s responsibility at every stage of the life cycle and built into the product design itself. 

Governance can work only when API security is considered at the outset and supported with the proper tools to ensure the team is prepared to stave off attacks from every angle.

Creating a Governance Mindset

The first step toward effective API governance is to create an organization-wide mindset rather than having it rest solely with those who develop processes. Governance must go beyond ensuring that a specific set of projects functions in a certain way and adds value. Transformational success requires continuous feedback that bridges the gap between the consumer and provider.

Adopting a dedicated API management platform to automate API security best practices throughout the API life cycle is a smart way to automate many aspects of governance. Doing so provides a top-down approach that leverages a powerful security toolkit and knows what questions to ask and when. 

Among the questions required for governance in the API are:

  • Why do I need this API?
  • Who are my API’s consumers?
  • What are consumer’s usage patterns?
  • Do they need this API?
  • What is the behavioral design for this API?
  • What is my ROI?
  • Does this API add value to my consumers?
  • How is this API being integrated with my partners?
  • Which devices are calling this API
  • What barriers are there for people to access this API?
  • How could my APIs be compromised?
  • What is being cached on local browsers?
  • How many retries are permitted when trying to access your API?

When and How to Pose Questions

When a company is scaling, taking a manual approach to continually asking and answering these critical questions becomes far too error-prone to be effective. It becomes too easy to lose track of data and too tempting to cut corners to meet deadlines. Thus, API security needs to be built into API modeling – in both test-driven design and communications with every aspect of the business.

For example, information must be continuously evaluated to determine if it is sensitive, as API governance has different security policies for internal APIs, external APIs, open-source APIs, and partner APIs.

Leaving monitoring of sensitive information in the hands of API analysts, who are tasked with building an API specification under OpenAPI, is a mistake as their focus is solely on the user interface (UI), necessary data models, and consumer demands. Too often this dedicated focus causes them to overlook essential vulnerabilities, resulting in sensitive data being built into API headers and query patterns.

Rather, everyone should be responsible for asking if a user ID is needed as part of the API and, if so, if it should be part of an encrypted payload. The API and the user ID passing through it should be considered part of the query parameter pass-through browsers with sufficient caches and cookies. 

Finally, where requests are coming from must be understood. APIs need to be designed based on the systems and devices they with integrate with as they are a growing threat from hacks – putting sensitive information at risk.

Arming a “Security First” Culture

To create a “security first” culture, proactive companies adopt self-learning systems as part of their API security toolkit that leverage the power of artificial intelligence (AI) to gather information about plan behaviors. These solutions reveal patterns and trigger appropriate actions, for example shutting down vulnerable systems before the clients risk them.

Because a team is only as successful as the tools at its disposal, every API security toolkit should include the following:

  • AI-powered API security, which self learns and self creates rules to recognize and proactively respond to attacks.
  • Straight sets of issue alerts to inform the right people as things go awry.
  • Dashboards, which enable teams to see patterns that contribute to a security-first mindset.
  • Data governance, to ensure data is being securely exchanged and being exposed only in ways that align with security policies.
  • API gateways, which are vital to API orchestration and integration.
  • Firewalls, to protect against threats like SQL injection attacks.

Security must be incorporated into a 360-degree view of the API life cycle from the outset and run through planning, designing, developing, testing, and release management. New threats emerge every day, so it’s imperative that learning be continuous.

Security must also be part of the user story and not just a box to check off in the release plan. As tooling – which should be accessible to everyone within the organization – is used to recognize user patterns, it contributes to that user story and develops a sequence of use cases from API keys to tokens to audit logs and more. This does more than give an enterprise empathy with its users; it provides valuable insight into potential system risks.

Retroactive Governance Repairs

For those organizations that did not build security into the API life cycle from the outset, it is not too late to revisit and rectify the situation. 

One common challenge for these organizations is when the CIO or other key players don’t realize an API exists until it’s already been hacked. This can be overcome with use of proper enterprise-grade API tooling that provides a complete overview of connecting APIs and the resources and information they expose. Tooling can also enable continuous API discovery, so while developers are given DevOps autonomy, others are still aware of every open-source or subscription API to which they connect.

It is also critical for these APIs to be monitored, which is where self-learning security systems play an important role. These powerful solutions detect current anomalies and feed this intelligence back into the system’s coverage and into the company’s new “security first” culture – saving it from public humiliation down the road. 

Getting Proactive with API Security

Enterprises caught up in data leaks tend to be reactive when it comes to API security. As such, they don’t have in place the right systems between consumer and provider. It’s a recipe for certain disaster that leaves the organization searching for the source of the service denial attack and creates distrust among consumers who will think twice about sharing their personal information.

Success requires a proactive approach, one that integrates security into governance at every stage of the agile process. This enables the continuous learning mindset around API security that is the only way to succeed. 

About APIWiz: APIwiz is a low-code, API automation platform allowing developers to build and release reliable APIs quickly. With APIwiz, API teams have complete control, visibility, and predictability over their entire API program, allowing organizations to stay open and connected.