Issue 196: Software supply chains, APIs in healthcare, Azure API management baselines


This week, we have articles on the importance of API security for the software supply chain, and how API adoption is increasing in the healthcare industry whilst addressing cyber security concerns. We also have new guidance from Microsoft Azure on security baselines for API management, and a free software security course from the Linux Foundation.

Article: API security for the software supply chain

This week’s first article is by NordicAPIs, a very timely view of the importance of API security for the software supply chain. Modern software platforms are increasingly composed of discrete elements, rather than developed as a monolith like previously was common. Whilst this approach offers tremendous benefits for shorter development cycles and quicker time to market, it comes at the cost of a more complex supply chain — a vulnerability in a single component can adversely affect the security posture of the overall system. This is something that vehicle manufacturers have well understood for many decades: they have been meticulously tracking the provenance of all components in any given vehicle, allowing a recall in the event of a latent defect.

Now, why is the software supply chain so critically important to security? Because adversaries with malicious intent can focus their attacks on the supply chain, rather than attacking the end product or application directly: it’s easier to substitute a good component with a malicious component than attack the whole system. Recent years have seen an uptick in the number of attacks based on the software supply chain: just think of the SolarWinds attack, where attackers injected malware into the supply chain, or the British Airways website attack, where attackers were able to inject malicious JavaScript into the website to steal payment details.

So how does API security impact the software supply chain? APIs are a key component in the software supply chain, because they form the integration point between different systems as they are assembled together. Any weakness in an API will negatively impact the security of the overall system. For example, if a 3rd-party API leaks PII information on your product, this ultimately reflects adversely on you, not necessarily that 3rd party. Beware of inadvertently inheriting technical debt and risk.

A few suggestions for improving supply chain security include:

  • Perform an audit of the entire supply chain to understand all the constituent components and their risk profiles.
  • Use a zero trust model — assume that other components and interfaces are potentially hostile and ensure that constant authentication, authorization, and validation are enforced.
  • Beware of 3rd party providers and enforce minimum security standards and acceptance criteria.

I predict we’ll be hearing a lot more about the software supply chain for APIs in the near future.

Article: API adoption in the healthcare industry

The Health IT Security website has featured an  article on the increasing adoption of APIs in the healthcare industry  and how organizations are challenged to manage the associated cyber security risks. The healthcare industry has been at the forefront of API adoption, allowing for rapid integration and interchange of health data. The adoption of the HL7 FHIR standard has further accelerated API adoption to such an extent that recent research suggests a whopping 941% increase in API usage in health monitoring.

Unfortunately, as readers of this newsletter are only too well aware, these APIs provide an additional attack vector allowing for potential leaking of PII and confidential patient health data. This conflict between increased adoption and risk is captured nicely by the quote:

From a healthcare standpoint, I see it as this aspect of duality. Healthcare needs to provide easier access to more data. But because of that, it must have a greater focus on data privacy and security.

The author lists a number of recommendations and best practices, including:

  • Focus on the fundamentals, and get the basics right.
  • Leverage API management portals and API gateways, and enable their security features.
  • Implement strong authentication and authorization controls.
  • Implement Transport Level Security (TLS) 1.2 or higher.
  • Exercise caution in granting access to systems and managing token life cycles.

Balancing the speed of innovation versus risk exposure is challenging — the key is the automation of API security.

Guide: Azure API management security baseline

Microsoft Azure has recently published their guidance of security baselines for API management. Whilst this is of specific interest to Azure users, many of their recommendations are applicable to other API management systems.

Their recommendations cover domains like network, identity management, privileged access, data protection, asset management, logging and threat protection, and backup and recovery.

For networks, they suggest:

  • Establish network segmentation boundaries.
  • Secure cloud services with network controls.
  • Deploy web application firewall.

On identity management, they recommend to:

  • Use a centralized identity and authentication system.
  • Manage application identities securely and automatically.
  • Use single sign-on (SSO) for application access.
  • Restrict access to resources based on conditions.
  • Restrict the exposure of credential and secrets.

For privileged access, they suggest:

  • Separate and limit the access of highly privileged and/or administrative users from that of regular users.
  • Follow the principle of  just-enough-administration (aka least-privilege).
  • Determine access process for cloud provider support.

On data protection and handling of sensitive data, they state the following:

  • Discover, classify, and label sensitive data.
  • Monitor anomalies and threats targeting sensitive data.
  • Encrypt sensitive data in transit.
  • Use a secure key and certificate management processes.

For asset management, they recommend only using approved services.

As for logging and threat protection, they recommend to:

  • Enable threat detection capabilities.
  • Enable logging for security investigation.

Being solid common sense, the list comes as no surprise, but it is well worth ensuring these basics are implemented as your standard.

Training: Free software security course from the Linux Foundation

Finally this week, we have a topic of more general interest to anyone developing software: the Linux Foundation is offering their course “Developing Secure Software (LFD121)” free of charge. In my experience as a secure software advocate, this course is a really great introduction to the topic and would be a worthwhile endeavor for anyone writing software.

The key topics of interest include:

  • Requirements, design and reuse
  • Security basics
  • Secure design principles
  • Input validation
  • Processing data securely
  • Verification
  • Threat modeling
  • Cryptography

Thanks to the Linux Foundation for making this invaluable resource available for free.

Webinar: Review of API Breaches in H1 2022: Episode two — Remediation and Prevention

Last month, I presented a webinar on a dozen API breaches covered in this newsletter so far this year, and in August, I’ll be hosting the second part of this popular webinar.

In this webinar, I’ll be getting into practical guidance on how to prevent and remediate some of these types of breaches. In particular, we’ll focus on the following topics:

  • Applying defensive coding practices to secure APIs.
  • Practical demonstration of how 42Crunch can detect and protect APIs from such vulnerabilities.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy