The Confusion Around API Security

Noname Security

Even though many enterprises are starting ramp up API security efforts, significant gaps still remain. Dark Reading's 2021 Secure Applications Survey highlighted that 41% of respondents treat APIs the same as Web apps, and only 23% of respondents have a dedicated process for evaluating API security.

APIs security lacks the maturity most organizations have with other business technology. Considering the massive growth in APIs over the past several years, it is no surprise that API-based cyber incidents continue to frequent the headlines. Even with dedicated efforts to tighten API security, there are several common misconceptions and misunderstandings that can keep enterprises from addressing their API security gaps. Let's explore what API security is, who owns it and what to expect from an API Security Partner.

"Gartner predicts that by 2022, application programming interface (API) attacks will become the most-frequent attack vector..."

What is API Security?
API security refers to protecting the integrity of your digital environment from API vulnerabilities, API misconfigurations, and API cyber-attacks.

It's not about protecting your APIs from an attack; it's about protecting your digital environment and your data from risks associated with exposing APIs. As simple as this shift in mindset may seem, it has significant implications to security strategies, processes, and tooling.

Confusion Around API Security Ownership
With so many teams playing a role in the creation, consumption, and management of APIs, there is often confusion about which teams are responsible for API security. Is it the development team that writes the code? Is it the platform team that deploys and manages APIs across gateways and clouds? Or is the CISO and their team responsible for API security?

Each enterprise has a different structure and/or a way of sharing responsibility; however, it can be loosely defined and poorly understood. Without a clear ownership structure of API security and the proper guardrails in place, API security will continue to slip through the cracks.

What to Expect from API Security Vendor
There are several new API security solutions that can be used to help overcome the challenges listed above. Give extra consideration to API security solutions that:

• Integrate easily with clouds, WAFs, and gateways — a good API security solution should connect with your existing infrastructure and enhance the security capabilities of other systems in the environment, not compete against them.
• Can be deployed on-prem or as a SaaS — be sure you have the option to deploy on-prem or within a cloud so the data never leaves the environment, or as a SaaS so you can manage multiple clouds and instances from a single portal.
• Don't use agents or sensors — cloud-first and API-led environments struggle with in-line solutions. Agent-based architectures are a legacy way of thinking that introduce more complexity, performance issues, and risk. Out-of-band architecture provides deeper visibility and less operational friction.