Organizations can live and die by their web presence. Consumers are increasingly reliant on the Internet for shopping for products and interacting with vendors after making a purchase. A business’s website has become their primary connection to the customer.
As a result, securing an organization’s web presence is a crucial part of protecting both their network security and their brand. Many organizations put their focus on their website security and overlook the importance of web API security. An organization’s web API is designed to create a more direct connection between the customer and the data or functionality that they are paying to use. Web APIs expose certain functionality to automated scripts, allowing them to interact directly without working through the website.
However, this same ease of automation can benefit attackers as well as legitimate users. If an attacker gains unauthorized access to functionality of the web API, the same bulk access to data that is so useful to customers makes a data breach a breeze to pull off. For this reason, a web API represents a major potential hole in an organization’s defenses.
The fact is that most developers undervalue security in the development process. Including security functionality is often seen as the last step of the development process. However, security is most effective when it is built into the design from the start. Development methodologies that acknowledge this, like DevSecOps, are especially applicable to API development.
A Quick Intro to DevSecOps
The concept of DevOps is the latest in a series of innovations regarding how development should be done. Traditional development methods are designed to ensure that software is built correctly but tend to produce monolithic software projects. These projects are difficult to build and update, and their complexity increases the probability that potential vulnerabilities will be overlooked.
As a result, Agile strategies have been in vogue recently as organizations try to cut down on their development time and costs. These strategies attempt to modularize products, allowing them to be quickly designed, built, and updated by small teams.
The latest iteration in Agile is the concept of DevOps, where development teams make heavy use of automation to help accomplish the goals of Agile design. Tools like continuous integration and testing
frameworks ensure that developers are writing tests for code as it is being developed, and that all code added to the project repository is correct before being accepted.
DevSecOps is DevOps but underscores the importance of security as part of the design and development process. In many cases, security is an afterthought tacked on at the end of a project (if it is included at all). As a result, vulnerable software makes it to production, and potentially exploitable code needs to be identified and fixed as patches after release, which is more expensive and less effective than baking in security from the start.
Applying DevSecOps to Web APIs
DevSecOps is a useful and valuable development methodology in any domain, but is especially applicable to APIs. Web APIs are designed to provide a direct connection between the user and a company’s database or protected online resources. The API is responsible for implementing this gateway in a secure fashion, but it is only code.
And code has bugs. The responsibility of the API developer is to ensure that the web API’s code has as few bugs as possible and to minimize the exploitability of these bugs. This requires a complete understanding of all aspects of the web API and how it can be used.
The complexity of many APIs means that security needs to be built in from the start in order to achieve this level of knowledge and understanding. Using a DevSecOps methodology and the associated toolset, an API developer can design and write tests in parallel with code development. This serves as a “double-check” on the code and allows continuous deployment and testing tools to ensure that no mistakes creep into the code or are created through interactions with other components. And building in security from the start minimizes the probability that vulnerabilities will be overlooked in the rush to meet release deadlines.
Securing Your Web API
All web APIs, whether REST or SOAP-based, are a major potential weak point in an organization’s network defenses. The same level of convenience and automation that an API provides to a legitimate user can also be to an attacker’s benefit if they gain unauthorized access. A single oversight or mistake in the development process can be the cause of a major data breach.
DevSecOps is designed to minimize the vulnerability of software by ensuring that security is baked into the code from the start. By using the tools and techniques associated with the DevOps style of development, web API developers can ensure that test cases correctly describe the desired functionality of code, and that any deviations or errors are identified as quickly as possible.
Once the development team has done all that they can to create secure API code, it is ready for deployment. However, it is probable that the code still isn’t secure. Developers don’t know everything about cyber threats, and a single mistake or oversight can leave the API open to attack.
This is where a web application firewall comes in. The value of the API makes it a prime target for hackers, and organizations need defenses capable of identifying and protecting against modern attacks. Choosing a top-of-the-line firewall is an essential part of protecting a business’s vital web applications and APIs.
