The complexity of modern cloud-native applications, which often leverage microservices, containers, APIs, infrastructure-as-code and more to enable speed in app development and deployment, can create security headaches for organizations that fail to put practices in place to mitigate vulnerabilities.
With dependencies on databases and third-party APIs, and sensitive information and secrets such as certificates and passwords exposed, organizations need to have a mechanism
to track and catalog all the APIs used in their environment. They need visibility into all the inbound and outbound traffic, most importantly, to ensure the mutual communication channels are kept safe and that APIs are properly authenticated.
Proper upfront design and planning of APIs is crucial to help ensure any event-driven APIs are secured and that there is proper handling of all secrets and sensitive data that gets transmitted in the process.
To begin to properly secure cloud-native applications, it is necessary to have a full understanding of the interfaces that are being exposed, Kimm Yeo, who works in application security at Synopsys, wrote in a recent blog post. “Organizations with internally developed cloud-native applications faced a variety of security incidents in recent years, with the leading causes being insecure use of APIs, vulnerable source codes and compromised account credentials,” she wrote.
It is the expanded use of APIs in today’s applications that create the biggest security challenges. In a report, Gartner found that 90% of a web application’s attack surface area are APIs, and that in 2022, APIs would be the most frequent attack vector.
“Effective API security can’t be done by merely protecting and blocking vulnerable APIs with some web firewalls and monitoring tools,” Yeo wrote in a recent blog post. “API-based apps need to be treated and managed as a complete development life cycle of their own. Just as the software app development life cycle goes through upfront planning and design, so must the API life cycle. There needs to be proper API design with API policies built into an organization’s overall business risk and continuity program.”
Yeo points out that traditional application security scanning tools were not designed for cloud-native applications, and lack visibility into modern application development and deployment architectures. This is because, she wrote, that “most API and serverless function calls are event-driven triggers…”
In her blog, Yeo states that organizations need to view and treat APIs holistically as a life cycle development and deployment framework of its own – like how they look at application development as a life cycle. This would entail up-front design and planning, as well as policies around API management to ensure vulnerabilities are kept to a minimum.
Further, she encourages organizations to do risk assessments of all API-based applications, with the goal of focusing on those apps with the highest risk factors. She wrote that effective API security practices require continuous testing to verify vulnerable APIs during application tests at runtime compilation with third-party components.
Beyond all that, the use of modern scanning tools and techniques can further ensure that any vulnerabilities can be addressed (or the risk mitigated) before the apps are deployed. SCA, SAST, and DAST tools – which have been more commonly used as app security test practices – and now, more frequently, IAST tools can provide insights to where those security holes are, so they can be fixed before the application is released, when it is less expensive to remediate and can do less damage to the organization’s business and reputation.
“This,” Yeo wrote, “is the key essence of effective API security strategy in my opinion. An organization needs the ability to quickly identify and proactively test and remediate the apps with highest risk (as defined by its security policies and API risk classifications) before they go into production release. An API risk classification system can use criteria such as the application’s exposure (internal- or external-facing apps), the types of information it handles (such as PII/ PCI-DSS payment related), the record size that the app manages (which can get into thousands and millions), and the cost of data breaches, disaster recovery, and business continuity impact.
Content provided by SD Times and Synopsys.