API security is one of the most serious network security challenges facing enterprises today. In the past 12 months, API attacks have increased by 681%, while the overall API traffic has also increased by 321%. According to Salt's API security report for the first quarter of 2022, malicious API calls have soared from 2.73 million per customer per month in December 2020 to 21.32 million per month in December 2021. Salt's customers have web application firewalls, and almost all customers have API gateways, but API attacks are bypassing these security controls.
API safety out of control
The explosive growth of API attacks also killed business innovation. For example, 62% of enterprises admit that the launch of new products and applications has been delayed due to API security issues. In addition, 95% of DevOps leaders and teams said they had experienced API security incidents in the past 12 months. One third of DevOps organizations said that although they run APIs in production environments, their companies lack any API security policies.
According to Gartner, API attacks will accelerate and double by 2024. At the same time, the business volume carried by API is also growing at a high speed. From 2019 to 2021, the number of API related queries is growing steadily, with an average year-on-year growth of 33%.
DevOps leaders are under pressure to deliver digital transformation projects on time and within budget, and also need to develop and fine tune APIs. Unfortunately, when the DevOps team is eager to complete the project before the deadline, API security management often becomes a hindsight. When all DevOps teams in the enterprise do not have the API management tools and security protection they need, API security problems will quickly get out of control.
More DevOps teams need a reliable and extensible method to prevent API security from getting out of control. In addition, the DevOps team also needs to transfer API management to the zero trust framework to reduce the risk of data disclosure.
Six stages of API protection
Sequence Security and Forrester proposed six phases of API protection at the DevOps and API security webinar.
"Those largest organizations will deal with hundreds of applications using extension APIs on a daily basis. With the deepening of digitalization, they will face tens of thousands or hundreds of thousands of APIs in the future. Therefore, it will become more difficult to manage and track APIs." Sandy Carielli, chief analyst of Forrester, said at the webinar.
Cesequence Security divides API protection into six stages. The first stage starts with the discovery and identification of all public oriented APIs, and then advances to inventory, compliance, detection, prevention and detection
Cesequence Security believes that adopting an integrated, lifecycle based iterative approach throughout the API security lifecycle can help identify and manage APIs and effectively detect and prevent API attacks.
Sandy Carielli, chief analyst of Forrester, pointed out that APIs should be managed as vulnerable and unprotected open attack surfaces. Internet criminals know that API is poorly protected, and API attacks have maintained a high triple digit growth rate in recent years. Enterprises urgently need to use a zero trust framework for API security management.
API attack surface management is inseparable from zero trust
The API vulnerabilities of Capital One, JustDial, Venmo, Panera Bread, T-Mobile, U.S. Postal Service and other companies show that thousands of APIs are unprotected and are one of the favorite attack surfaces of cyber criminals. The API requires minimal privileged access and is managed using a more differential segment based approach. These two elements of zero trust combine identity and access management (IAM) framework to manage APIs, which will reduce the number of "rogue APIs" and "missing APIs" that are difficult for enterprises to track. In addition, applying minimum permissions, differential segments, and IAM will reduce the number of endpoints used for internal testing (these endpoints remain open and can access APIs).
The API life cycle needs to be built on zero trust
Security controls should not be a stumbling block to DevOps. Embedding zero trust into the API life cycle starts with not trusting the data provided by the client, and using the default reject process to remove all implicit trusts. DevOps leaders need to build authentication into every phase of the API lifecycle. The goal needs to be to design clear trust rules for each API development and deployment project.
Effective API governance based on zero trust
DevOps leaders and their teams need to help balance their business's growing demand for APIs with the need to maintain compliance to support new digital transformation projects. Faced with the pressure to quickly APIs, the DevOps team first accelerated business gains and tried to catch up with compliance, security and privacy when the development schedule allowed. Security controls must move to API level trust, defining security contexts for each type of API generated.
Strengthen CI/CD and SDLC with zero trust
The attack on the source code supply chain shows that zero trust must be the core of DevOps frameworks and processes such as Continuous Integration/Continuous Delivery (CI/CD) and SDLC. Software supply chain attacks like SolarWinds have successfully changed the core executable files of applications, and then infected the entire supply chain. This makes zero trust an urgent problem that DevOps teams need to deal with today. Only by integrating security in the SDLC design phase can security no longer be a resistance to code production. The SDLC cycle will also run faster because security will no longer be an additional process after the project ends, which will greatly improve code security governance.
API security cannot be an afterthought
In order to complete large-scale digital transformation projects on time, many DevOps team leaders are eager to complete the API release cycle, and regard security as an obstacle to completing the work. This led to careless or even missing API security inspection and audit. Everyone on the DevOps team is forced to meet or exceed the code release date. API security has become an additional process that no one has time to deal with, leading to the spread of API security problems.
When zero trust becomes the design goal of API and DevOps processes, security can be strengthened in the entire SDLC. In addition, IAM and micro segment will greatly improve the accuracy of inventory, reduce the threat of rogue or forgotten APIs, and avoid the paralysis of the entire platform or company due to network attacks.