The CISO Guide to API Security: Enabling Innovation Without Enabling Attacks and Data Breaches

Reported by: |Updated: November 13, 2019

Manjunath Bhat, Sr Director Analyst, Gartner at Gartner Security & Risk Management Summit 2019 in Mumbai.

Manjunath Bhat, Sr Director Analyst, Gartner at Gartner Security & Risk Management Summit 2019 in Mumbai.

Earlier it used to be said that there is an app for anything. Now there is an API for anything. APIs are viewed by many CEOs as the next source for revenue. Many companies have reached the limit of their revenue from current sources. APIs are fundamentally new products. Companies like PayPal, Paytm, etc, are built around APIs.

API vulnerabilities include theft of secrets, debugging, access violation, API scraping, denial of service, exploits, etc. Attacks can appear from anywhere around the globe. No matter how mature your development process, it is not feasible to protect against all attack vectors. For example, a developer can do nothing against denial of service attacks. API scraping is tracing the calls made from an end point to an API and then reverse engineer the attack.

If you are looking at 3rd party aggregators, they should not request banking credentials. Rather this should be handled by a token.

Typically, you will be exposing legacy applications. Benefits include reduced complexity. The technique is to create an API mediation layer that decouples the inner APIs from the outer APIs. This technique of loose coupling will allow you to change the inner APIs without changing the outer APIs.

Traditionally one would look at WAF (web application firewalls) but that is insufficient. Since data is also moving to the cloud, you are not serving the API from a single instance. So the firewall is irrelevant. DDoS is becoming very important, which is best handled with solutions from Akamai, Cloudflare, etc.

Any investment in protection should not be with one type of attack. Rather, invest in capabilities as opposed to providers and products. There is a convergence taking place between WAF and RASP providers. A WAF is external, where as a RASP provides intrinsic protection based on what is normal and what is abnormal.

With code level protection, you are putting the protection within the application.

Bots are automated connections to APIs. In API world, it is important to protect the front end as well as the back end. If a mobile app can be reverse engineered, it can be used to create a fake app, which can call the API.

API management: discover, monitor and secure

  1. Discover: Inventory the APIs that have been delivered, or are in the development process. APIs from 3rd parties should also be included.
  2. Monitor: Observe your API usage. Learn what normal is for API behaviour.
  3. Secure: Create a policy for API protection and access control.

A lot of the code in an organization is open source or is assembled rather than written. Include authentication as well as authorization.

To treat APIs as product, they have to be managed as products, for which an API product manager is required. Security champions should be embedded in development teams. A production manager is typically tied to functional development. The key change is making sure that the API product manager includes security as product function. There is no instant business value in security and it cannot be monetized, but it can be a big problem.

Make sure that your API does not transmit personal identifiable information (PII) such as Aadhar number, date of birth, etc.