1 Introduction
Application Programming Interfaces (APIs) are among the foundations of modern digital business. In a world where information is the crown jewel of many organizations, and increasingly the primary source of revenue, APIs are now powering the logistics of delivering digital products to partners and customers. The exponential growth of cloud computing and mobile device proliferation have been another major boost for API adoption. They’ve become the perfect medium to enable integrations between these heterogeneous systems and facilitate data exchange on a massive scale. Modern cloud-native architectures are increasingly reliant on automated management and monitoring, which are also powered by numerous sets of APIs.
Recently, the tempo of this evolution only continues to accelerate. As new digital transformation initiatives across various industries continue to emerge, diverse business models have reshaped the technical requirements for API development and operations dramatically. New standards, technologies, and development methodologies introduced by the need to support numerous new use cases have also introduced additional complexity to existing API management platforms.
Security experts have warned about numerous security risks of APIs for years. But until quite recently, many organizations still believed that their API-related risks can be sufficiently addressed by existing security tools like web application firewalls (WAFs). Unfortunately, existing API-related security tools were already inadequate years ago, but today, this misconception is downright dangerous. Modern APIs come with a broad set of unique security risks that businesses can’t afford to ignore.
Multiple studies have estimated that APIs are already the biggest attack vector for web applications. However, this assessment does not consider numerous other potential attack vectors the unchecked proliferation of APIs can expose, including public clouds, distributed applications and microservices, mobile clients, and so on. Securing this broad and heterogeneous attack surface is becoming increasingly difficult, and traditional web security tools are completely helpless here.
Tools like Web Application Firewalls also tend to miss the vulnerabilities in API business logic. Providing comprehensive protection against the broad range of API-specific threats and doing it consistently throughout the whole lifecycle of an API is even more complex. In fact, it requires an entirely different understanding of the very notion of an API security solution.
A popular approach towards developing robust and secure applications is “shifting left”. This refers to applying quality management (and specifically, testing for security vulnerabilities) at earlier stages of the software development process. Testing early and often makes application code more resilient to attacks and is generally considered a best practice and an essential part of the “secure by design” methodology.
And yet, shifting left alone cannot be considered a panacea for all API security challenges. Consistent and reliable protection of business-critical APIs must not just extend to every other phase of the API lifecycle, but also ensure that this coverage is provided as a holistic, integrated experience. Only this way it is possible to establish a continuous feedback loop between security teams and developers.