How are you addressing the challenges of API security?
Recent security breaches have occurred that take advantage of APIs to steal customer data. APIs are widely used in enterprise applications. Because of that, you need to focus more closely on API security during the software validation process. This is an area that’s still emerging in terms of awareness, implementation, and ownership.
Additionally, API security combines all the usual challenges of API testing with the challenges of traditional application security testing (AST).
Recently I had the opportunity to talk with Sandy Carielli, principal analyst at Forrester Research, about her thoughts on application security, static application security testing (SAST), and the OWASP API Security Top 10.
I am pleased to share a preview of Sandy’s expert insights on API security testing. Sandy will be the featured guest in our upcoming webinar on April 22, 2021, at 9 a.m. PT.
Q: Application security is growing in importance. How critical is API security to overall security efforts?
A: API security is vital to overall security efforts. APIs have become a core component of modern applications, and many development teams build their applications to be “API first.” That means that if the API is not secured, then the application is not secured. We have seen numerous instances of breaches due to poorly implemented or unprotected APIs. API breaches have revealed customer purchases, user account information, and even the COVID-19 status of households on the other side of the world.
Q: OWASP has been central to application security with its free training and Top 10 list. Will the OWASP API Security Top 10 have the same impact for API security?
A: This seems to be happening already. Users are looking to the OWASP API Security Top 10 as a starting point to understand what they need to consider. I can’t tell you how many vendors I have spoken to that bring in the OWASP API Security Top 10 as part of how they support customers’ API security. Issues like broken authentication, broken authorization, and excessive data exposure are prevalent. That said, the OWASP Top 10 won’t solve all your security problems, you need to look more holistically at API security than just the OWASP API Security Top 10. For many teams, API security starts with knowing what APIs are in your environment.
Q: Development and Test are typically lacking in security knowledge. How can security teams effectively share their knowledge in a way that lets other people assist in the AST/AppSec process?
A: Developer security champions are a great way for security teams to scale their knowledge to the development organization and to build their credibility with dev. Developer security champions are members of the development teams that are trained up in basic application security principles. They are developers first, but they also bring security knowledge and advocacy to their local team. Champions answer basic security questions from the members of the dev team, and they also have relationships with the security team to reach out when more complex issues arise.
Q: Organizations already have numerous AST tools. Do they fulfill API security needs, or will engineers need something more?
A: Many AST tools don’t test APIs, though some vendors are starting to extend their capabilities or offer additional tools that focus on APIs. Work with your AST vendor to understand the extent to which it supports testing APIs, and be prepared to bring in additional tools or services to supplement what it doesn’t offer. Until you have a full suite of testing tools that analyzes APIs, consider adding some API-focused penetration testing services into the mix.
Q: How does static analysis (SAST) fit into an API security testing strategy?
A: If static analysis tools can help identify flaws in your API definitions, they will be a valuable part of the pre-release API testing process. As with overall application security, no one tool will solve all your problems, but static analysis is effective at finding issues early in development, ideally in developers’ contexts, making remediation easier. An API-aware SAST tool will help you find and fix API security flaws early in the lifecycle.
Arthur has been involved in software security and test automation at Parasoft for over 25 years, helping research new methods and techniques (including 5 patents) while helping clients improve their software practices.