This week, we have articles covering six critical areas for cloud-native security in 2022, including of course API security. In addition there’s a beginner’s guide to API governance, thoughts on how to improve API security by embracing DevOps, and views on three ways to lock down APIs.
Article: Six critical areas for cloud-native security in 2022
First up this week is an article from Tripwire, discussing six critical areas for cloud-native security in 2022 — no big surprise that API security is highlighted, along with supply chain security. The author views both of these new security concerns as closely related: your supply chain is exposed through APIs either to suppliers or 3rd parties. Understanding how to minimize this attack surface is key to reducing risk.
Supply chain vulnerabilities are increasingly common in today’s high-velocity digital world, where software is composed rather than written. Modern applications largely comprise of 3rd party components and libraries, and many services are provided by suppliers and 3rd parties. Weaknesses in this supply chain expose the organization to risk, because attackers may have access to both upstream and downstream elements of the chain. For example, they could inject malicious code, or exfiltrate sensitive data. Supply chain risk can be reduced by minimizing the scope of data and systems accessible by 3rd parties.
APIs are increasingly the conduit through which attacks can be made against organizations and their supply chains. The author recommends the following practices to minimize risk through this attack vector:
- API security should be addressed as early as possible in the development life cycle.
- Since APIs are in many cases publicly accessible, security must be a priority.
- API security should be automated within the software development life cycle to reduce human error and minimize developer effort.
A timely article on the importance of both API and supply chain security, and well worth reading for a high-level view of cloud-native security.
Article: Beginner’s guide to API governance
Good API governance is a key element of a secure API portfolio, and this week Security Boulevard contribute views on the core elements of good API governance.
API governance is a set of principles by which APIs are designed, developed, and deployed, and typically include a standardized approach to API documentation, meeting specific security standards, and auditing across the API landscape.
The article recommends the following five key principles of API governance:
- Consistency: APIs should be easy to use, use standardized data dictionaries and versioning, and be consistent in their endpoint and parameter naming convention.
- Predictability (managing complexity): APIs should be “always-on”: focus on reliability, scalability, and maintainability.
- Security and compliance: Ensure you have visibility into your API estate, use a secure development process, perform security testing, and manage emerging threats.
- Interoperability (value and business alignment): Ensure that your APIs are interoperable to ease adoption, and hence drive revenue returns.
- Quality API documentation system: Well-documented APIs are APIs that are easy to consume.
The key takeaway here is that APIs may be unreliable, poorly documented, interoperate poorly, and — most importantly — be insecure without a proper governance process.
Article: Security APIs at the speed of DevOps
DevOps.com provides their thoughts on why API security is increasingly important for organizations that are embracing a fully automated DevOps development process. Although a DevOps process has many positive business benefits — such as faster time to market, improved efficiency, reduced costs, and improvements in quality — it is not without its challenges, particularly regarding security.
The authors cite two main challenges:
- A fast development process: Reduced development cycle times mean that security testing becomes challenging, particularly if based on a manual process, such as a penetration testing. Shorter cycle times also mean that developers may introduce coding errors which result in vulnerable end products.
- Poor collaboration: Unless the development and operations teams (and indeed the security team) are collaborating smoothly using unified processes, it is possible there will be gaps or shortcomings on key topics, such as credential, token, and secret management.
The article gives following recommendations to improve API security in a DevOps process:
- Integrate security tightly into the DevOps process and leverage automation heavily.
- Protect APIs at runtime to ensure any vulnerabilities that are inadvertently introduced are mitigated until remediated in a subsequent release.
- Embrace the cultural change that DevOps brings and cross-train developers to become security champions who take ownership of security considerations in their APIs.
Article: Three ways to lock down APIs
Finally this week, we have the views of Pieter Danhieux — co-founder and CEO of Secure Code Warrior, a popular security learning platform — on three ways to lock down your APIs.
Danhieux makes the point that API development is to some extent ungoverned and often overlooked by security teams, who may be more familiar with web application security. APIs are also frequently designed for bespoke functionality, and may be coded by developers who are not fully aware of security considerations.
Danhieux suggests the following three ways to lock down APIs:
- Include tight identity controls for all APIs: Use well-provisioned role-based access controls to minimize scopes of API access, and ensure identities are actively managed.
- Tightly control the various calls made by APIs: Minimize the scope of API access to ensure that attackers are limited in their ability to traverse laterally in the event of a breach.
- Use a layered approach: Make sure that APIs have a precise context and purpose and do not expose excessive data. Compose APIs in layers to limit functionality to the minimum necessary.
The article echoes many of the principles in our first story this week — sound advice for API designers.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy