TLDR Key Takeaways
In DevSecOps, everyone is responsible for software quality. Having a methodology for security mitigates risks and serves both business stakeholders and software developers by adding an extra layer of protection to the development process.
APIs make computer to computer communication possible, which means that they present an avenue cyber attackers could use to access your or your clients’ data. For DevSecOps professionals, securing APIs is paramount to a healthy software development lifecycle.
Plus, given the rapid pace of development with APIs, it is critical to ensure security is integrated into the CI/CD process. This article talks about what is DevSecOps and how it makes API security possible. We will also talk about how to secure APIs and build a plan for API security across the development lifecycle.
Coined in 2013 at the OWASP App Sec Conference, DevOps methodology combines agile software development, security, and operations. It’s about integrating security best practices into the development cycle to mitigate cyber threats.
According to Gartner, “DevSecOps is the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible.”
DevSecOps aims both at creating processes around security and, at the same time, builds security culture and practices in every organization to enhance the agility and security of the development process.
DevSecOps rests on four pillars:
While software developers’ ability to deploy applications has improved in both scale and speed, security considerations have been overlooked in favor of meeting the ever-increasing business demands. This preference for improved business outcomes at a greater speed results in security vulnerabilities in the development process representing entry points for cyber attackers.
This is where DevSecOps comes to the table, enhancing application security to keep pace with operations. DevSecOps helps to create an ecosystem that aligns business goals with proper execution on the technology side.
However, to stay true to release dates, software developers often realize that there’s not much time left for proper security practices and security testing, which is when security concerns start appearing. Remediating vulnerabilities that weren’t identified during the early stage of your apps’ lifecycle can cause release delays, issues with your development team, and disgruntled users and business stakeholders due to the potential monetary losses delays in the release date can incur.
Even worse, sometimes development teams circumvent DevSecOps best practices and ship code to production without testing and security scans, regardless of the results. The truth is that no business can afford for software security checks to be the final piece of an app’s lifecycle; especially when it’s straightforward for cybercriminals to find an exposed API endpoint that can be exploited, causing reputation and financial damages to a business.
Security is not just making sure that you are doing what the regulator’s asking you to do. It means making sure that you’re doing everything to protect the information of your company. APIs are an often overlooked part of that security process, which can be especially costly because APIs are everywhere.
According to Akamai, 83% of internet traffic is API-based. This tremendous adoption of APIs as the vehicle for internet traffic has led to an increase in attacks on API endpoints. In fact, research by Gartner shows that by 2022, 90% of cyber attacks will target APIs.
While it’s possible to secure APIs on the client end, and there are indeed plenty of security technologies to scan, firewall, and protect web apps and APIs, the thing is that APIs aren’t just powering our web and mobile interfaces. They’re also exposed as public APIs or externally visible APIs that customers and partners can integrate with. While they enable an unparalleled level of connectivity, they also present a backdoor for attackers.
APIs offer direct access to the most sensitive backend data, so if a cyber attacker has been able to gain access to the API layer, it has bypassed a lot of the security controls and now has access to sensitive data. However, APIs cannot be secured in the same way as other applications. Standard security prevention methods that protect against other vulnerabilities like SQL injections or cross-site scripting don’t hold up against threats that attack API logic.
When hackers search for flaws in application logic, they don’t rely on basic injection attacks. These logic flaws can be damaging to APIs and lead to massive amounts of personally identifiable information (PII) data being lost.
DevSecOps ensures that security is integrated into every stage of the development journey and the app’s lifecycle, bolstering security across the development process, keeping APIs, the most sensitive point of entry, safe.
Learn about other API Security Best Practices by downloading our whitepaper.
You can secure your APIs at three points of their lifecycle: at design time, test time, and run time. We will cover two categories: security vulnerabilities and business logic flaws.
At design time, it is possible to run StaticAppSec testing to uncover code vulnerabilities, but you will get plenty of false positives because the app isn’t running yet.
You can run DynamicAppSec testing at test time, which is great for finding SQL injection vulnerabilities, cross-site, Denial of Service, and similar vulnerabilities. At test time, it is possible to run manual testing such as penetration tests.
At run time, it is possible to secure APIs by looking at their gateways and firewalls. By running these tests, you can find unknown APIs and anomalies. For example, by looking at normal traffic, it’s possible to find DDoS attacks and abnormal bot traffic, but this can introduce latency to the server.
API security automation takes a different approach to traditional security solutions. Here are some requirements:
First of all, API testing must be continuous and run all the time, against every build, not every few months by pen-testers. When testing is done so infrequently, it can leave gaps that hackers can exploit at any time.
Testing must be comprehensive and not simply include testing of a few critical endpoints as hackers can choose to attack at any instance. Therefore, you have to get full coverage of the API, including every endpoint, attack method, variable, and attack vector.
While standard security vulnerabilities are necessary, these can’t be the only thing that an API security automation tool identifies. Today, hackers choose to focus on flaws in the data logic and exploit those to breach APIs. Consequently, data logic flaws need to be identified when conducting API security automation.
Waiting until production to discover API threats, whether data logic flaws or otherwise, can create bottlenecks that negatively impact how quickly organizations can roll out new applications. By beginning the API security automation process during pre-production, you can avoid these bottlenecks and maintain the pace of application deployment.
To start planning your API security with APIsec, you need to do four things:
This means you simply have to point us at your gateway and hand over a definition file, whether it’s Open API, Swagger, Postman, or any other. What we need is a glossary of your API endpoints and the methods they support. With that, we will analyze your entire API and build a roadmap for your APIs’ functionalities and capabilities.
We auto-create thousands of tech playbooks mapped to the OWASP API Security Top 10, exercising every single one of the endpoints and every method during the second step.
Then we run those attacks. The goal is to pressure test the API in every possible way to find ways to get it to leak data or provide unauthorized access and functionalities.
As we discover vulnerabilities, we auto-create tickets to push into JIRA, GitHub, or ServiceNow to push this API vulnerability and logic flood detection into the developer cycle so that they don’t ever make it into production. And all of that in a zero-touch environment, as we don’t need access to your API endpoints.
We combine these four categories with our knowledge of your API to auto-fabricate thousands of unique, custom-made attacks to your APIs. With APIsec, you can come in and view and modify every one of those attacks and integrate them into your ticketing and orchestration systems.
Seismic is a cloud-based sales and marketing automation and enablement tool. Seismic’s customers trust the company with very sensitive, confidential data; thus, they need to make sure that data is not accessible to anyone else.
Seismic has built its service around APIs and exposes them to customers to integrate with the tool and enable their own workflows. To help the company’s data stay secure, we deployed APIsec into their staging environment. So whenever new code pushes into staging, they’re automatically pushing that code into those APIs into APIsec.
Then, we build and execute those new playbooks, find vulnerabilities, and then integrate the results back into the development toolchain, which has enabled Seismic to eliminate a lot of their manual pen testing efforts and get a full ROI in just three months.
If you want to read more about APIs and how DevSecOps reduces your API infrastructure’s vulnerabilities, read our white paper on API Security Best Practices or watch our recorded webinar on Best practices for building security into your APIs.