API security is a top 2023 security initiative for many organizations, given the continued increase in API usage and the API breach activity observed in 2022. Since more and more organizations are starting API security programs, I thought it might be prudent to provide a 30-60-90 day framework that we are all pretty familiar with. For simplicity sake we will assume a green-field API security program, meaning the organization is developing applications with exposed APIs and an API security program is in its infancy. We also should note that API security, like any other form of network security is a continual process – you won’t be done in 90 days, but you will have established a foundation.
Your First 30 Days: Ask “Where am I with Application Security?”
By this we don’t mean physically, we mean, what assets do you have to complement your API security program. Your first 30 days should be used to learn how good or bad things are. Examples include what the culture is like, what the focus has been and where are you going to start. Key learnings should include historical practices, what do role do different teams and individuals play in the API security lifecycle. What can you draw on, and who do you have as champions or supporters. Within the first 30 days your goal should be to understand:
- Do we have an inventory of our public facing or 3rd party APIs?
- Do we have historic penetration tests or security audits for these APIs (Establish the gap)?
- Have we completed a data audit to know what sort of data is used by our APIs?
- Who is interested in API security and can you include them in the next phase?
- Your first 30 days should define the things that you want to accomplish in the next 30 and the following 30. Keep in mind, every organization is different but that doesn’t mean a framework won’t help.
Your 60 Day API Security Program Goal: Establish the Application Security Infrastructure
The first 60 days are getting things answered and/or setting things into motion. This means getting to know the stakeholders and how you can enable them to make the business and your API security program successful. Quick wins are important and one of the easiest is to identify a way to simply find and categorize all your APIs. API visibility is the most critical phase of any API security initiative. The reason is obvious. Unknown, unmanaged APIs, also known as shadow or zombie APIs cannot be protected and are a prime attack target. Many organizations will begin using a manual process, which is a good start, but can quickly be out of date with the next API release cycle. Having a complete inventory and knowing where the APIs are will streamline your API security program execution and is best achieved with an automated API discovery tool.
As a reminder, a 30-60-90 plan is really a map created to guide you and your organization towards improving your API security. Many of the things that are achieved in the first few months, set the stage for things going forward. By the end of your first 60 days you should aim to:
- Complete an API Inventory and derive possible next steps (e.g., remove old API subdomains, retire zombie or deprecated APIs, standardize endpoint security paradigms, etc.)
- Set in motion the people side of your API security program, it could be getting the right people to the right meetings with the right goals. People are the way your API security challenges will be addressed and your team will develop the processes that work.
- Add API specific training for all parties – development, security, operations – APIs are different than web apps and knowing how to treat APIs is a critical success factor.
Start looking at the long term technology items. Is there a tool or vendor that can shoulder some of your API security workload? What does success with them look like?
Your 90 Day API Security Program Goal: Lay the Groundwork
The last 30 day block of your 90 day plan should be spent confirming you are on track with status reviews while looking at longer term roadmaps with the right People, Processes and Technology. There are obvious things that will be in motion now and it is a good time to establish processes for re-evaluation of the businesses goals established earlier and how you are meeting them. By the end of 90 days, you will want to make sure the organization is still on the same path and the objectives make sense. At the end of 90 days you have the understanding of:
- Where your APIs are, what data they contain, how they are developed and tested.
- Are your APIs documented consistently, is there a mechanism for updating?
- If your logging is sufficient to identify potential threats or identify points of compromise.
- Do you have a set security standard for API development for minimums like Authentication and Authorization?
- Do you have coding standards in place, have you adopted an API specification framework to improve consistency, quality, and security?
By putting an API security plan into motion, you are laying the groundwork for having a complete API picture and how you can address the risks to your business as you move forward.
API Security Solution Recommendations
With the people and processes in place to move your API security program forward, many organizations will look at adding technology to the mix to improve efficiency. Recommendations are to look for an API security solution with a unified and fully integrated approach that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments. The approach must discover and create a complete runtime inventory of all managed and unmanaged APIs and provide comprehensive API protection including not just complete discovery and runtime inventory, but compliance monitoring and remediation, threat detection, and inline, robust threat prevention.
This unified API protection solution would need to deploy and scale quickly, easily and cost effectively without the need for intrusive instrumentation or sensors that slow development and deployment and prevent effective scaling. Lastly, the approach must protect against today’s agile, sophisticated, and persistent attackers and their always changing attacks through native, real-time attack detection, alerting, and inline stealthy mitigation that leverages ML, AI, and global API threat intelligence to fingerprint and identify attacks well beyond evadable, least common denominator domain-based signatures.
Never miss an update!