Business must approach APIs as a single asset class, says CISO

Application programming interfaces have changed the way developers work by making several key aspects of the process faster and easier, from adding functionality to localizing a new language.

However, as business navigates the current atmosphere of heightened cybersecurity threat instances, the approach to securing APIs must be separate from other assets in an organization’s digital infrastructure to be effective.

“The more critical APIs become, the more important they are this is to watch the API as a truly unique asset class,” said Karl Mattson (pictured), information security manager at Noname Security.Because the security checks we employfrom configuration management and asset management to application security, both testing and protection, such as endpoint detection and response — and the platforms we use to control our environments, they are poorly suited for APIs. OWe must have controls and technologies in place and skilled teams that can really focus on those controls that are unique to the API. »

Mattson spoke with theCUBE industry analyst John Furrier during the “Cybersecurity — Detect and Protect Against Threats” Event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s live streaming studio. They discussed the new security approaches for APIs that have become imperative given the new threat landscape. (*Disclosure below.)

New approaches, skills and resources are needed

APIs have taken on a much larger role, having made the leap from edge use case utility to crown jewel asset. So, as an organization’s reliance on it grows, it needs to secure APIs as the backbone of its development frameworks, according to Mattson.

“We took a fresh look at the API, looking at it from a full lifecycle perspective,” he explained. “Ithis is not news APIs are a software asset that require to be tested for security, vulnerabilities and safety tests before going into production. But the reality is API security exposures which make the headlines almost every day, many of these things have to do with things such as runtime errors and misconfigurations or changes made on the fly, bebecause APIs change very quickly. »

Not only has Noname Security itself taken a holistic approach to the API security lifecycle, but it’s the only way to effectively and robustly protect them from outside attacks in the long run, according to Mattson.

“In order for us to counter API risks, we need to look at the full life cycle from the moment the developer starts coding at the source code level, through the test gates and operational setup,” he said.

Why Securing APIs is Harder Now

Why securing APIs is more relevant than ever has a lot to do with their distinct changing uses from the early days, according to Mattson.

“With the APIs we had 8, 10 years ago, most of them were dealing with APIs internally,” he explained. “And so, there there were a lot of API design elements that we would not have put in place if we had wanted than being in front of the public. Owe get by a bit sloppy hygiene when it is internal to the network, bbut now that we expose these APIs and we release APIs worldwide, there is a degree of precision required. JThe stakes are just much higher.

Another reason for the increased vulnerability of today’s APIs, Mattson says, is the heavy reliance of business on them at the infrastructure layer.

“You think of AWS, for example; most modern cloud workloads they communicate and talk via API,” he said.So even if they are facing APIs internally, configuration errors can occur and they could be exposed to the public or they could be compromised. We want to examine all facets of APIs because now there is so much at stake with good API security.

Additionally, the scope of preemptively securing APIs has expanded far beyond simply searching source code for potential issues, Mattson added.

“IBM research survey last year estimates that 60% of all API violations are due to misconfiguration, not source code design. And so that’s really where we need to marry the two runtime protection configuration management and source code testing and design,” he said.

So keeping these crown jewels as secure as possible should involve steps such as discovery, fingerprinting scans, observability and inventory, Mattson concluded.

Here’s the full video interview, which is part of SiliconANGLE and theCUBE’s coverage of the “Cybersecurity — Detect and Protect Against Threats” event:

(*Disclosure: Noname Security sponsored this segment of theCUBE. Neither Noname Security nor other sponsors have editorial control over the content of theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

Show your support for our mission by joining our Cube Club and our Cube Event community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.

Comments are closed.