Guest Blog: API Security – Off to a Booming Start, But We’re Not Done Yet

August 30, 2021

I am very excited to partner with Cequence for a three-part blog series and webinar on the top-of-mind subject of API security in financial services companies, fintechs and insurtechs. At Aite-Novarica Group, we initiated coverage of the API security space in 2019. At that time, we learned very quickly that API security knowledge was extremely low. In our conversations with chief information security officers, security architects, application developers, and security operations professionals we saw consistently that IT professionals – and particularly security teams – had very little visibility into the number of APIs traversing their networks. We embarked on a campaign to raise API security awareness through research, reporting, and a series of well-attended webinars. In 2020 we continued the journey and focused on how APIs are created and managed. We examined secure coding principles and interviewed more than 50 developers and security professionals at 31 financial services companies, fintechs and insurtechs. This led to our report on “Best Practices in API Security”, and we assessed the level of API Security as very low in several areas including API security testing, training for developers, and management of 3rd party APIs. Some telling numbers from our interviews and research:

  • Nearly half of the companies had no inventory of the APIs they produced or just an approximate count
  • More than two-thirds of the companies indicated that they did not perform specific API security testing
  • Only one of the 31 companies had a designated API security point of contact

We’re very happy to report that since 2019 the level of API security awareness has significantly improved, and we’ve seen both industry body and vendor initiatives to get API security on the radar of CISOs – particularly in financial services. Our follow-up conversations now start at a very informed level and it’s evident that cybersecurity professionals have become very conversant on both threats and defenses. Bravo. We’ve also seen a raising level of API security maturity by software developers, and we attribute part of this to increased sensitivity related to high visibility supply chain attacks (e.g., SolarWinds) and refreshed software assurance programs.

But we’re not done yet. API use continues to explode as more and more organizations dive into microservices, cloud workloads, open banking, and digital transformation products that use APIs to deliver new user experiences. APIs are here to stay. We’re still seeing a constant cadence of API related security breaches but overall, the market is on a good trajectory. But we must do more.

APIs are complex and it’s very easy to make mistakes related to authorization, authentication, and disclosure of too much information to attackers by way of error messages. For this reason, we are recommending specific API Security solutions that can complement, perhaps even strengthen shift left practices of secure API coding, API security testing, and API management. These API security products can shield the right, acting as an additional and important part of an organization’s API security defenses. We’re currently examining innovations related to API runtime protection and our initial analysis is that this is a viable method to limit exposure that might be introduced by API coding flaws or missteps in API management. Stay tuned as API security continues to be on our Hits List for 2021 and beyond.

If you have not embarked on an API security improvement journey, now is the time to start. I’ll be covering additional aspects and recommendations in upcoming blogs and a joint webinar with Cequence “Shielding Right to Strengthen Shift Left: Here’s How” on October 6th.

Joseph has been a cybersecurity analyst since 2019. He’s worked in information security for more than 45 years. His previous roles include operations officer for the U.S. intelligence community, a CISO at large publicly traded companies, and a cybersecurity strategy consultant for Accenture and PwC. He has worked in 115 countries, and he’s keenly interested in disruptive and emerging cybersecurity technologies.

 

analystapAPI Securityguest blog

About the Author

Joseph Krull

CISSP, IAM, CISA, CRISC, CIPP, Senior Cybersecurity Analyst at Aite-Novarica Group

It's a wrap on Black Hat 2022
12 August 2022

Black Hat 2022 — End-to-End Fun and API Security

Read More
Network IQ
9 August 2022

Network IQ: How the Largest API Threat Database Protects Your APIs

Read More
Ulta Beauty Reduce Costs - By Blocking API-based Enumeration Attacks
3 August 2022

Ulta Beauty Reduces Costs by Blocking API-based Enumeration Attacks

Read More
Unified API Security Bot Management
29 July 2022

Mergers and Acquisitions in API Security and Bot Management

Read More
National Intern Day - We Lover Our Interns
28 July 2022

Interning for an API Protection Leader — Summer 2022

Read More

Subscribe to our blog

Join us for our Weekly Webinar Series: API Best Practices Register now