When we set about developing our unique API Program approach a key component of our packages was always going to be security. Until now that topic has generally been focused on API Management functionality and access control components (IAM), as well as advice on standards and building security into an API itself. As security has increasingly become important to our clients and knowledge around how to specifically secure your environment against API attacks is limited, we have built out a dedicated API Security service offering to enable organisations to develop and manage an organisational-wide API security strategy as part of the broad API Program.
Previously, the Chief Information Security Officer (CISO) would typically only have a relatively minor role in designing and implementing APIs but the growing significance of APIs as a prime target for potential cyberattack has prompted organisations to improve their security posture. Some of the reasons for this are reactive due to the well publicised cyber attacks on organisations such as Optus and Medibank but there is also a proactive approach as organisations and CISOs are starting to see how APIs as digital products are becoming endemic and critical across the business and are not typically covered well by existing security strategies. As an example we recently spoke to a CISO of a large telco who was aware of roughly 12 APIs that were externally available and had done some inspection of them from a security perspective but when we ran a preview of our new service over the course of a couple of days he was absolutely amazed when we identified hundreds of publically accessible APIs he had no knowledge of whatsoever.
With APIs increasingly becoming the lingua franca for information transfer both internally and externally their protection has become as vital as safeguarding other web traffic on the same infrastructure. While the task of securing web pages, including dynamic ones, has become routine for most organisations, API security remains an evolving challenge. Once our clients discover the extent of the vulnerabilities of their API infrastructure, they appreciate the importance of consistent protection across all of their APIs whether in production or still in testing. Ideally this occurs through running a threat assessment rather than through a breach! And that is why Excelsa have developed a new service package specifically providing a quick and easy way to identify all your APIs that can be potentially accessed by external entities and also highlight critical gaps. The key is to not just secure one API or API family, but to ensure that all APIs receive the same level of protection. Many enterprises are at the early stages of their API security journey so an important first step is to uncover the hidden APIs within their infrastructure. As part of our service offering we include one of a new breed of API security products that can play an important role in automatically detecting and securing APIs.
This new set of dedicated API security solutions are playing a pivotal role in identifying and securing APIs wherever they may be located on the organisation network. These solutions act as a formidable defence, either thwarting attackers outright or equipping organisations with critical information to enhance API protection.
Traditional network security products were originally developed before the widespread use of APIs that we witness today, and their initial focus was relatively straightforward. These products were built on the premise that mandating developers to secure the code they write was essential to avoid failure. There is significant truth in this reasoning, as most developers do not intentionally create insecure code. Vulnerabilities in code often arise from a lack of awareness regarding potential API vulnerabilities. However, as we embraced API security, we discovered an additional benefit: some vulnerabilities are more effectively blocked at the network level than within individual applications.
The concept of preemptively blocking certain attacks at the network level before they reach the API, along with the presence of numerous undocumented APIs within organisations, has led our customers to demand API aware security products with robust API detection capabilities on the corporate network. The corporate network encompasses the extended network, including data centres, cloud vendors, and hosting environments. In some cases, it may also include software-as-a-service (SaaS) environments, although few SaaS platforms support API development and deployment capabilities.
Just as our API security solution must possess the ability to identify APIs, it must also excel in protecting them once they are discovered. Initially designed to secure SOAP APIs during their widespread adoption, API security solutions have since adapted to protect REST APIs, which are currently the primary area of protection. However, we also recognize that new API standards, such as event based, are gaining popularity. Hence, it is crucial to assess which standards the API security products can protect and the depth of that protection.
An ideal API security strategy is one that remains dynamic and adaptive, keeping pace with the evolving threat landscape and emerging standards and also recognises that there are key API security stakeholders across the business and not just in the CISO or IT team. By comprehensively addressing API security, our clients can safeguard their organisation’s sensitive data, maintain operational resilience, and uphold their commitment to protecting their stakeholders’ trust and interests.
Looking for more information on the topics raised in this blog or needing help on Integration or API programs then please reach out to firstname.lastname@example.org