Mahamadou Zakari is an API architect with over seven years in the industry. He discusses ways to align security and development for stronger API security in this article.
Historically, developers and security teams have worked in silos, leading to insufficient security measures and increased risks. Developers create exceptional user experience and functionalities, whereas the security team focuses on identifying vulnerabilities and preventing or mitigating risks. This conflict-work-driven approach leads to issues like a lack of communication and collaboration between these teams, which also leads to misunderstandings, complex systems, and dependencies. The development team works with various technological stacks and often relies on third-party libraries. These integrations are not always secure, not easy to monitor and may introduce additional security risks, misaligned priorities and goals. For example, the development team may be pressured to release new features quickly, whereas the security team may prioritize resolving issues discovered later in the API lifecycle. Such a divergence can result in conflicts and delays in securing APIs.
Last but not least, the scarcity of resources and financial limitations are among the biggest constraints organizations face while securing their APIs. These challenges can be burdensome and time-consuming for organizations. That is why security should be a collaborative effort introduced early within each stage of the software development lifecycle.
API governance aims to establish a framework for secure, consistent, easy-to-use, and maintained APIs throughout their lifecycle. Organizations can build an effective API governance based on four core foundations –
- Identifying and engaging the key stakeholders involved in the API lifecycle—It’s important for each stakeholder to define their responsibilities and how and why they need to fulfill them. The goal here is to ensure everyone’s responsibility. Everyone’s requirements and interests are considered so decisions can be made collaboratively.
- Clear definition of stages and API goals – Decide on how they should be managed with proper controls and align with business objectives.
- Guidelines are crucial aspects that provide best practices and are tools for API lifecycle management. They aim to enable interoperability and reliability across all APIs within an organization.
- Refinement consistently and continuously enhances API governance, framework, and processes. It involves reviews to ensure guidelines are correctly unforced, gathering feedback from stakeholders to improve processes, and periodic audits to ensure APIs still comply with the organization’s strategy and regulations. It also involves training to adapt to changing business needs and technological progress, which brings numerous chances and challenges in terms of security.
When implementing an API governance framework tailored to their needs, organizations can foster an environment that allows security and development alignment. This will reduce the risk of security breaches, and enable APIs to be secure and reliable among diverse methods and philosophies that organizations can use within their governance framework.
Security by design
Security by design involves designing and implementing security measures early in the API lifecycle, ensuring API security from the ground up. Organizations can leverage this philosophy by adopting API-first, security-first, and design-first approaches.
API-first design involves designing the API before any other part of the application. This law ensures a clean separation between the API and application, making it easier to secure the API independently. Organizations used to have strong measures to test and secure their applications, but not enough for underlying APIs.
Security-first means that security measures and considerations should be given the highest priority. It ensures that potential risks from threats are identified and appropriate controls are put in place to mitigate them.
Design-first consists of designing the API and producing its specifications before implementing it. This enables clear communication between API providers and consumers and ensures that both parties’ requirements are met.
These approaches encompass a comprehensive strategy for leveraging security by design and enable organizations to address security with a proactive approach, better protect their sensitive data, and build a robust API architecture.
When designing and implementing APIs, the first step is producing the API definition with a purpose, targeted audience, and data to be processed. During this phase, organizations need to involve all stakeholders to make this definition as accurate as possible.
We cannot secure what we don’t know. So, the very first step is to know your product clearly, and then you can secure it better. Based on a clear API definition, it’s possible to conduct an API security assessment in order to define the appropriate security for the API. By having both a clear API definition and appropriate security requirements, it’s possible to start designing API security.
In summary, security by design ensures APIs are designed and developed with security at the forefront, providing a solid foundation for secure data exchange and mitigating potential risks.
Security by design mainly focuses on the application’s overall design and architecture. DevSecOps is more concerned about operational practices and activities that can be implemented within the DevOps pipeline. DevSecOps integrates security into every step of the software development lifecycle, ensuring security is prioritized throughout the entire process and not just an afterthought.
Organizations can use this approach by promoting shared responsibility and integrating and automating security. Security considerations are integrated into the development process through collaboration and cooperation between development and security teams; developers can work closely with a security expert to understand and enforce security practices. Security experts can better understand APIs and guide to ensure security requirements are met. Organizations need to integrate security by enforcing secure coding practices to identify and resolve potential vulnerabilities. Finally, they must automate repetitive security tasks by enabling continuous testing to streamline the security process and reduce human error. The main advantage of this philosophy is increased efficiency. It improves communication and collaboration, enables agility, faster time to market and better risk management.
DevSecOps and security-by-design will enhance the overall API security posture by enabling organizations to prioritize proactive security measures while improving their ability to react effectively. Their implementation will require expertise and organizations to address the following –
- Complexity – because integrating various technologies and promoting collaboration among diverse teams will be challenging.
- Stakeholder involvement – Team members comfortable with existing workflows may resist adopting new practices.
- Technological progress – An organization needs to keep up with security practices and technology changes. Because attackers constantly evolve their techniques and new vulnerabilities may emerge.
Promoting security should be everyone’s responsibility to reduce risk and lower costs in the long run.
Organizations may conduct Security Risk Assessments to identify vulnerabilities and gain insight, enabling them to make informed decisions. They may also establish a cost for a cross-functional team. By involving a representative from each team, they can promote security practices with their peers and share difficulties that they are facing. They can foster a culture of security by promoting security awareness through education.
To conclude, aligning security on development is not a one-time effort, but a continuous process that requires commitment from all stakeholders.