API Security & Identity

3 Simple Steps to Improve API Security

Image by Pexels from Pixabay
88views

Carlos Rodriguez Iturria is a Director of Data Integration, API and Security with foryouandyourcustomers.

Foryouandyourcustomers is a consulting boutique with 20 different offices across Europe and APAC. They specialize around all aspects of data. API security is one of our strongest core capabilities. They can help you explore and maximize the use of your APIs to be effectively secured, governed and designed for reusability and consumption.

A bird sitting on a tree is never afraid of the branch breaking, because her trust is not on the branch but on its own wings. This line is very profound.

No matter what you do, there is no way you can avoid cyber-attacks, but you can avoid data breaches.

It is exactly the same way how you know solution architects design solutions, based on failures that are going to happen eventually. In this case, it is not about if we are going to be having cyber-attacks, it is when we are going to receive a cyber-attack. When that happens, we want to ensure that we do not have a data breach.

We know APIs are important. APIs are everywhere. In the last few years APIs adoption has exploded. In the last year, we saw an exponential growth of 200% with the use of APIs because APIs are providing that level of business agility and speed. There are going to be many new APIs coming all the time, and there will evolution on the existing APIs. This is creating a problem that we call API explode effect. This means that IT does not have enough capacity or capability to continue ensuring that all APIs are protected and secure. This creates issues. Around 76% of organizations we spoke to have said that they have been breached in the last couple of years.

So, as an end user, I am worried about my personal data. I don’t know how my data and personally identifiable information is being shared and how it is being used.

As a technologist, I am excited, because it is a great opportunity to fix this problem.

Common reasons of data breaches

Known vulnerabilities – in most cases, data breaches are because of known vulnerabilities. But these come to light only after the breach.

Rogue, zombie or shadow APIs – We leave many APIs even when we are not using them. They are running when they should not be running. APIs should have a lifecycle and should be retired or evolve into another version as we progress. But, in reality, this is not the case.

External exposures, credentials or keys – We believe that we are protecting our APIs, because everything is properly authenticated and authorised. But if the credentials or keys are not in our control, our APIs are exposed.

Operator errors – This is one of the most common reasons of data breach. Security misconfigurations in infrastructure and services create entry points that can be exploited.

Undiscovered vulnerabilities and bugs – No software can be 100% bug free. Cyber criminals seek to identify and exploit undiscovered vulnerabilities lurking in your APIs.

Data breaches happen in two phases of the lifecycle of an API. One is when an API is already running in production serving customers serving end users. The second is, when we are developing and testing those APIs. There should be enough ability to discover these vulnerabilities before they are deployed.

Risk evaluation aims to reduce the financial impact of data breaches, cyber-attacks and operational disruptions. Five pillars to look at –

  • Enterprise API inventory – Have an API asset inventory and discovery. We need to go into the actual network, study the requests and communication and the catalog the API inventory. Everything that provides data can be hacked, so we have to be careful. Ensure you have schema documentation for these APIs.
  • Uncover API vulnerabilities – Check vulnerabilities and prioritize remediation.
  • API attack management – You should have an API security solution that tells you what can be done to stop an attach without human intervention. The detection and prevention of attackers and suspicious behavior in real-time is important.
  • Post-mortem analysis – Post-mortem analysis is important. If there is an attack, you need to know if that attack resulted in a data breach.
  • Penetration testing is very important. This will identify those vulnerabilities on your APIs before they are pushed into production. You can remediate those before they are deployed.

To summarize, if you are not thinking of these points, then you are at a high risk of data breach.

Carlos Rodriguez Iturria
I am extremely passionate about people, technology and the most effective ways to connect the two by sharing my knowledge and experience. Working collaboratively with customers and partners inspires and excites me, especially when the outcome is noticeable valuable to a business and results in true innovation. I enjoy learning and teaching, as I recognise that this is a critical aspect of remaining at the forefront of technology in the modern era. Over the past 15+ years, I have developed and defined solutions that are reliable, secure and scalable, working closely with a diverse range of stakeholders. I enjoy leading engagements and am very active in the technical communities – both internal and external. I have stood out as a noticeable mentor running technology events across major cities in Australia and New Zealand, including various technology areas such as, Enterprise Integrations, API Management, Cloud Integration, IaaS and PaaS adoption, DevOps, Continuous Integration, Continuous Automation among others. In recent years, I have shaped my role and directed my capabilities towards educating and architecting benefits for partners using APIs and Cloud Native technologies. I get especially excited when I am able to position both as a way to exceed my customers’ expectations.

APIdays | Events | News | Intelligence

Attend APIdays conferences

The Worlds leading API Conferences:

Singapore, Zurich, Helsinki, Amsterdam, San Francisco, Sydney, Barcelona, London, Paris.

Get the API Landscape

The essential 1,000+ companies

Get the API Landscape
Industry Reports

Download our free reports

The State Of Api Documentation: 2017 Edition
  • State of API Documentation
  • The State of Banking APIs
  • GraphQL: all your queries answered
  • APIE Serverless Architecture