We’re often seeing the importance of companies considering API security holistically. Here are some key points from a recent Gartner Report on building an effective API security strategy.
They say, “A security strategy that manages access and protects systems from attack while still engaging digital ecosystems is essential to any API program. Application leaders must design, execute and govern an effective API security strategy, including the use of API gateways.”
Discover, Monitor and Secure – these are the three steps identified in the full paper which can be downloaded here.
- Ensure visibility across teams by making sure that security, quality and development teams get access to API reports (from API management software, for example). Determine how your organisation’s change management process should be updated to inform relevant stakeholders when implementing a new API, or modifying an existing API.
- Continuously inventory APIs that are delivered by the organisation, or that are in development. APIs that the organisation consumes from third parties should be included in this inventory. An API catalog, typically provided by a full life cycle API management solution, can be used for this purpose. CDN products, which have visibility into web traffic that may include API traffic, can be used to dynamically discover APIs.
- Integration with the software development life cycle, and in particular application development life cycle management, allows planned development efforts for new APIs, or changes to existing APIs, to be accounted for upfront rather than inventorying them later. This becomes critical for DevOps and DevSecOps so that appropriate API security policies can be applied as APIs are developed.
- Quiz vendors on their ability to identity normal behavior and anomalies in API usage, especially for cloud-delivered APIs.
- Monitor external third-party APIs consumed by the organisation. This may be performed by the “reverse gateway” capability provided by some API management vendors, to apply policies to API consumption (not just API delivery).
- Categorise APIs based on monitoring the data and applications they can access, whether they are business critical, and their client usage profiles.
- Apply policies to APIs (for example, using an API gateway) but avoid situations where each API has a unique security policy. Instead, leverage a reusable set of policies that are applied to APIs based on their categorisation. Abstract any specific API characteristics (such as URL path) from the policies themselves.
- Apply API security throughout the API life cycle, including application security testing (AST) of new versions.
- Good API security also requires change control throughout the entire application life cycle. For example, only certain developers should be allowed to make changes to the API, and application security testing is performed whenever an API change is made during development. Undocumented changes to APIs can also have serious implications to the availability and security of the overall system (for example, some protections may stop working as expected if the API changes).
The full Gartner paper goes on to recommend a distributed enforcement model to protect APIs across the entire architecture, not just at the edge. They also provide a compelling banking case study which illustrates their points.
Find out more