API Security Best Practices for CISOs

essidsolutions

Application programming interfaces (APIs) have been used for decades; however, API usage has grown exponentially alongside corporations’ increasing digitalization initiatives in the past several years. Nathan Ritchie, technical director at Salt Security, takes us through API security best practices that CISOs need in their playbook to succeed.

APIs enable digitalization and power the applications that define our online lives, including weather widgets, “sign in with” technology, mobile banking, and third-party payment apps. Internal API use has also skyrocketed, with many of the world’s largest organizations now reliant on APIs for routine business functions. 

Despite their benefits, APIs present significant security risks. The State of API Security ReportOpens a new window revealed that in 2021, overall API traffic increased by 321%, but API attack traffic increased more than two-fold – by a staggering 681%. 

Numerous companies, including Facebook, LinkedIn, Peloton, and Starbucks, have experienced API security incidents. In the worst-case scenarios, these attacks can cause irreparable damage to a company’s reputation and revenue loss. Yet, despite these risks, APIs remain poorly protected, and the previous research finds over a third of organizations lack any API security strategy. 

See More: The Cost of Innovation: Are New APIs Compromising Security?

Best Practices for API Security

While the task often seems insurmountable, below are some basic steps that you can take to ensure your API security. 

1. Establish the right security culture 

Culture and relationships are an oft-overlooked aspect of cybersecurity, APIs included. Many security problems stem from a lack of awareness and understanding of the business risks. CISOs can be instrumental in fostering a cross-functional security mindset within an organization. Building relationships is integral to securing APIs. Security teams must build and maintain good relationships across all their organizations. 

Once relationships are established, it’s easier to bolster API security without making anyone’s job harder. Healthy relationships encourage collaboration, allowing security teams to switch from a reactive to a proactive approach. Instead of telling other employees what they can’t do, they can provide them with answers, solutions and fit-for-purpose tools that can remediate issues before they arise. 

2. Get a complete picture of your APIs

Modern APIs have an enormous reach. They are core to all areas of an organization, from infrastructure to customer experience and everything in between. They are also owned by different teams. Engineering owns a portion, product owns a part, and so on. 

To complicate matters further, a single organization often employs multiple types of API. These can include: 

    • Business-to-consumer (B2C) 
    • Business-to-business (B2B) 
    • Business-to-employee (B2E) 

Being aware of APIs’ unique, complex, and often disparate nature is essential to their security. Attacks across different APIs vary, meaning security teams have to validate their security measures within each channel mentioned above differently. 

To ensure total awareness, cataloging your APIs is crucial. If you lack visibility into your APIs, you can’t protect them. CISOs must have an accurate and baseline inventory of their APIs that spans all their environments. 

Because APIs are being built so rapidly, any inventory must be systematically generated and continuously and dynamically updated. You need automation to ensure that you have a complete picture of your APIs. Without a full picture, you cannot know your potential risk and exposure. 

3. Make API security its own program. 

When it comes to APIs, security doesn’t just need to be at the forefront of the CISO’s attention – it needs to be interwoven with the entire process and pipeline. Establishing and employing best practices throughout an organization goes a long way to mitigating risk. 

Last year, GartnerOpens a new window confirmed what we already knew; API security is its own distinct and essential category in securing platform services. It’s therefore critical that it is treated as such. API security must be its own program, with its own training and management. Like many other disciplines within cybersecurity, security teams need to start with API security, not tag it on as an afterthought. 

4. Choose dedicated API security tooling 

Until recently, the use of APIs was more limited, and their capabilities were also relatively constrained. However, APIs are growing exponentially in both volume and capability – they have an enormous and ever-expanding footprint. 

The shift into the new API landscape has been a drastic one for many organizations. They have gone from minimal API development to huge, public-facing development in a matter of years. The increasing attack surface has created new security risks, and

traditional solutions don’t provide the runtime insights and security controls needed to protect APIs from attacks. 

Tools such as WAFs, for example, lack identity context and fail to provide the visibility required for API security management. While WAFs protect against blunt attacks such as cross-site scripting, they fail to identify or prevent today’s API-based attacks. 

Because APIs aren’t just straight code, you must see them being exercised to spot logic flaws. You need the ability to monitor them in runtime to spot anomalies and find areas where APIs might be exposing critical data. Seeing patterns in runtime gives organizations the most context for API security to identify malicious activity. 

While upgrading your tools and solutions can be expensive, a potential cyber-attack far exceeds the cost of any security tool. It’s not just the money spent re-securing your network and paying ransoms or even fines – a successful attack on an API can disrupt revenue flows and cause significant reputational damage. 

See More: Using a Least Privilege Framework to Boost DevSecOps

Key Takeaways 

In short, securing your APIs requires a four-pronged approach: 

    • Establish and maintain a healthy, collaborative security culture. 
    • Ensure you are aware of all your APIs with a dynamically updated inventory.
    • Prioritize security and recognize API security as the unique, distinct category it is. 
    • Choose dedicated security tooling that provides context-based visibility across the entire API lifecycle.

The API attack surface is constantly evolving, and securing it is both an unrelenting and challenging task. CISOs that recognize this reality and follow these best practices will be on the right track toward a robust and resilient API security program. 

Are you already following any of these best practices for API security? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know about it!

MORE ON APPLICATION SECURITY

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA