API Gateways are the New Strategic Control Points (But Still Lack Security)

The transformation from monolithic applications to ecosystems of microservices has made APIs a strategic and critical point of control. Whereas web application firewalls (WAFs) have been a primary tool for protecting HTTP-based applications, APIs have lacked equivalent controls for adequate compliance, security, and auditing. As API and non-human traffic surpasses web app traffic, security controls need to advance as well. Security leaders should use the emerging trends as an opportunity to learn more about protecting APIs and as means to drive API security improvements within their own organization.

The API Explosion is Pervasive – The proliferation of APIs will continue. Moreover, it may not be just the DevOps team that is pushing out APIs. Other parts of the organization, such as the marketing team, can be publishing their own or even using third-party APIs as part of marketing efforts. For the security team, an accurate inventory of APIs in use is a critical first step.

Collaboration is Key – Security teams need to partner with DevOps to design and implement adequate API security controls. DevOps wants to move fast. The security teams need to understand the DevOps motions and institute security controls that can be centrally managed and automated into the CI/CD processes.

API Gateway Security Is Lagging – Today’s API gateways typically focus on authentication, versioning, and analytics (for metering and billing). Although these security controls are important, they do not provide full protection for APIs. Sufficient API security needs to defend against attacks on authentication services, layer 7 DoS, data exfiltration, exploits, injections, and anomalies.

Directly in the Crosshairs, APIs Remain Vulnerable

APIs are at the heart of today’s digital business platform as crucial points of control. APIs are typically designed to be externally exposed and accessed by business partners, customers, and microservices. Just like web applications, APIs can be a doorway to sensitive data that needs to be adequately protected. Recent API-related incidents at organizations such as Venmo, Facebook, and Salesforce can serve as lessons on the importance of API security. F5 Labs highlights additional API mishaps of note here.

As with many technology advances, security often trails behind. API security is not an exception to this rule. While the API-driven economy is rolling along, security pros can be overwhelmed with the volume, pace, and intricacy of addressing API security.

Mass proliferation of APIs will continue. As applications become the focal point of businesses, the proliferation of APIs will continue to surge. The Programable Web API directory has seen a rapid increase in published APIs in 2019 (hundreds of new APIs every month). We expect this number to continue to climb, especially as industry sectors push for API-based interoperability. The EU’s PSD2 (Revised Payment Service Directive) is a good example.

Security must keep pace with the CI/CD pipeline. API gateways that support “versioning” enable API providers to continuously add new functionality and features without breaking existing client integrations. This is great for CI/CD, however if security slows the process, it can directly impact business and negate the benefits of agile development. To keep pace with these environments, security controls must be automated and integrated into the release process in a way that the security team can centrally enforce common controls without impacting release cycles.

Disparate API security ownership is a factor. APIs are used throughout the organization—mobile apps, microservices, in the cloud, and on-premises. Visibility and API inventory capabilities across the organization is still developing leaving some APIs outside the purview of the security team. Cross-organizational leadership and stakeholders must be educated on enforcing consistent security practices and controls.

API gateway security is immature. There are many vendors positioning API gateways today—companies like MuleSoft, Google (Apigee), Kong, Istio, and Oracle. These provide required API gateway feature sets such as versioning, routing, analytics/metering, and authentication. Each of these has its own strengths and value-add, however full security controls protecting against access violations, injections, DoS, and exploits need to be implemented along with other security gateway services.
_____

With the scene now set, stay tuned for a blog next week (just after the Dec. 25 holiday) where we’ll dive into what you can do to address the challenges outlined above…