APIs are increasingly a favorite target for hackers seeking to compromise cloud environments with malware such as cryptojacking and ransomware. 42Crunch and Cisco are addressing these threats by advocating a “shift-left” approach to API security and discovery that empowers developers to code protection into the API build process.
Although cloud environments offer enterprises many security benefits, new vulnerabilities continue to arise that offer attackers fresh avenues into cloud-based environments. One such attack path is the API. Every connected mobile, modern web, or cloud-hosted application uses and exposes APIs. These APIs enable access to data and to call application functionality.
While they are relatively easy to expose, they are difficult to document and defend. As a result, shadow and zombie APIs are rife, type checking is lax, API specifications are incomplete, and authentication and authorization issues often creep up. To address these challenges, 42Crunch collaborated with Cisco to create APIClarity, a new open-source tool to improve the configuration and protection of APIs.
In a recent study into the Cloud Threat Landscape, IBM found that two-thirds of cloud breaches can be attributed to misconfigured APIs.
Today, APIClarity utilizes a Service Mesh framework to discover APIs and can be used in association with the 42Crunch API Audit capabilities to improve the configuration of the API specification. Knowing the API specification is the first step in identifying API risks and APIClarity captures all existing API traffic and constructs the OpenAPI specification by observing the API traffic and allows users to upload OpenAPI specifications and review, modify and approve the generated specs.
It alerts the user on differences between the approved API specification and the one observed in runtime and detects shadow and zombie APIs with a UI dashboard auditing and monitoring the API findings.
Welcoming the announcement, Vijoy Pandey, VP of Emerging Technologies and Incubations at Cisco said, “Having a robust API security strategy is critical for enterprises to succeed with their digital transformation projects. Launching APIClarity represents a significant step in providing an end-to-end API security solution for enterprise cloud environments. We’re excited about the potential for APIClarity to empower developers to adopt a security as code approach to protecting their APIs, and to continue working with organizations like 42Crunch who share the same vision for enabling greater API security.”
Isabelle Mauny, field CTO and co-founder of 42Crunch, said, “Security and API teams stand at a crossroads today. They can either try to continue to block API threats, after they have been identified and caused potential damage, or they can adopt a preventative stance by coding security into their APIs at design time, ensuring protection throughout the lifecycle of the API.”
“This initiative by 42Crunch and Cisco empowers developers with the tools to build and automate security into their API development pipeline. It also ensures security teams retain full control of security policy enforcement at every stage of the API lifecycle, from design through to run-time protection” continued Mauny.