How to handle API sprawl and the security threat it poses
The proliferation of APIs has marked them as prime targets for malicious attackers. With recent reports indicating that API vulnerabilities are costing businesses billions of dollars annually, it’s no wonder they are at the top of mind of many cyber security professionals.
To combat this challenge, it is essential that organizations adopt a security-first approach to address API sprawl, prioritizing the protection of APIs from the ground up.
Start with visibility
As the adage goes, you can only protect what you can see. For a variety of reasons, API endpoints are often created by developers without oversight from the IT or security teams. When this happens, the APIs aren’t managed through standard security and compliance controls. This is why it is essential to discover and inventory all APIs that may exist in your infrastructure to understand how they interact, what data they expose, and what protections are in place, if any.
To start, you can employ continuous API discovery tools (either out of band or inline) to help you identify, categorize, and map the existing API endpoints in your organization. Mapping the ever-changing API landscape can be difficult, so make sure your tools take advantage of the latest machine learning (ML) capabilities to learn the difference between normal API traffic and potential malicious threats. This will help you set the baseline and find so-called shadow APIs that have been forgotten overtime or were built without proper governance and controls in place.
Address critical security vulnerabilities
Once you’ve identified your APIs and created an inventory, you can work with developers to deprecate old, unnecessary, or unauthorized endpoints, then start to evaluate the security risk of all legitimate ones based on factors such as sensitivity of data they handle and their criticality to your organization’s operations. This assessment will aid in prioritizing efforts to address the most significant security risks first and bring any previously unsecured endpoints into the flow of app and API security controls for monitoring and enforcement moving forward.
Sadly, even in 2023, improper access control, including authentication and authorization, remains one of the primary security vulnerabilities for APIs. This is due to a variety of reasons, including oversight, human error, haste, or other causes. Make sure you audit your existing API endpoints both for proper access control policies, and for any business logic errors that give unrestricted access to sensitive data.
Finally, consider ways you can reduce complexity, especially if you are operating in multiple clouds or a mix of cloud and on-premises datacenters. According to our 2023 State of Application Strategy report, tool complexity and difficulty enforcing consistent security policies add to the list of multi-cloud challenges. Using the same tooling across API gateways, WAFs and/or WAAPs, and other infrastructure regardless of environment will help reduce errors and make it possible to apply consistent security policies.
Fix API deployment practices
API security isn’t solely the responsibility of IT security professionals. In most organizations, it’s a shared responsibility that starts early in the software development lifecycle. Once you’ve addressed the most urgent vulnerabilities, it’s time to work with engineering teams to fix deployment gaps.
In many organizations, this will begin with adopting contract-driven API operations to improve collaboration. This is often one of the first steps towards API-first software design, which prioritizes interoperability by writing how the API will function and be secured before any code is written.
Using a standard, human and machine-readable API contract, like the OpenAPI Specification (OAS) for RESTful APIs, has additional benefits. By writing the contract first, and reviewing with stakeholders, you can ensure that developers, infrastructure operators, and security teams are all on the same page.
Additionally, your API gateways, WAFs, and other security technologies and infrastructure should work with the API contract to provide seamless CI/CD integration and automation across the software and API lifecycle. Automating API deployment and security helps prevent shadow APIs from slipping into deployment, so you can address vulnerabilities before APIs go into production.
Define API governance policies and processes
Fixing API deployment practices requires engineering teams, infrastructure operators, and security teams to come together and establish API governance policies for the entire API lifecycle, as well as the processes through which they will be applied.
When done poorly, API governance often imposes burdensome requirements that slow engineering teams down. When done well, however, API governance reduces work, streamlines approvals, and allows different teams in your organization to function independently.
A federated model, where API gateways and other shared infrastructure are provided as a service, often strikes the best balance between control for security and infrastructure teams, and agility for engineering teams. This approach enables IT and ops teams to set guardrails for security and compliance, while empowering API developers to deploy APIs as code and manage fine-grained configurations for their services.
Conclusion
API sprawl typically arises when developers, infrastructure operators, and IT security teams lack alignment and clarity around shared responsibilities for API management and security. This can be exacerbated by complex distributed architectures with many different teams building and deploying APIs across a wide range of environments. It is common for API complexity and security challenges to grow as the number of connections and the number of APIs grows.
The fight against API sprawl and its associated security risks will be an ongoing battle in today’s technology landscape. By taking proactive steps to fight API sprawl with a security-first mindset now, organizations can navigate the challenges while maintaining the integrity and security of their IT infrastructure.