Security investigation: 6 questions to ask before choosing your API security solution
The continuous increase in API attacks comes as no surprise to those of us who understand the inherent vulnerabilities of APIs. The explosive combination of poor security measures and the proprietary nature of APIs make this technology a focal point for attackers and results in constant breaches that take place pretty much everywhere.
Recent attacks prove that no one is safe: British Airways is forced to deal with a record $229.5M fine following a data breach; the US Postal Office is yet another victim, and so are telecommunications giants such as T-Mobile and Verizon after having customer data stolen via API tampering. Another victim is Panera Bread, which had unauthenticated API endpoints result in a wide data breach that allowed attackers to access the data of any customer who had ever ordered food online from the company.
According to the Top 10 API Security Vulnerabilities list created by the Open Web Application Security Project (OWASP), the more popular the use of this technology gets, the more it changes the security landscape and requires a new approach with advanced security solutions. Gartner’s research supports this claim and predicts that by 2022, API-related attacks will become the most frequent form of abuse, leading to the biggest number of data breaches.
What’s so unique about API security threats?
A recent report shows that CISOs are on the hunt for API security solutions to solve this problem. From our experience in working with Fortune 500 companies, these are the most important questions to ask when evaluating different options and trying to find the best API security solution for your organization:
Question #1: Does this solution provide the required visibility?
The rule of thumb is that you cannot fight what you cannot see. Security blind spots are always a major problem, especially when discussing API attacks, which can be unrightfully trusted by developers. Inadequate visibility creates vulnerabilities because security teams simply cannot see which threats are headed their way and cannot properly protect their system. This is particularly true when these are inside threats that grow at a rapid pace while remaining invisible to the company’s security mechanisms.
Question #2: What is the solution’s prevention capabilities?
Detecting threats is an important step, but it’s only the first one. Your chosen solution must be able to mitigate the threat by mapping any significant anomalies and blocking them from entering the organization's core assets. In order for the business to work smoothly, the solution should be smart enough to differentiate between normal transactions and alarming ones based on the company’s specific policies, and alert the necessary technologies and staff members in time. You want to also be able to define which suspicious behaviors call for immediate blockage and which ones should first send an alert and allow the security team to take it from there.
Question #3: At which stage in the development process does the security solution come into play?
Instead of waiting for the production stage to start taking security issues into consideration (which hopefully we can all agree on at this point), think about the security aspect at the early parts of the development cycle. During the design stage, for instance, developers could use relevant feedback that will result in a more secure product. Staging environments can focus on detecting the unique bugs and vulnerabilities of each proprietary API.
Business procedures are also part of the cycle. They can lead to 3rd party decisions made by API consumers that have security implications and were left out of the staging process. In other words: it’s never too early to start thinking about security and working towards improving it. This shift-left approach, which is familiar from testing-related debates, is based on the notion that developing a secure API requires taking security measures into account from the get-go. The goal of all organizations should be to design and develop a secure API by incorporating security insights from the production and staging environment into the development process.
Question #4: How accurate is the security solution?
API data is structured in different hierarchies, and so we must ask which ones are analyzed by the security solution in question. Is the API data itself investigated or just the metadata, which might prove to be insufficient? Dependencies between data objects should be taken into consideration as well as their sequential nature for a fuller picture that leads to fewer vulnerabilities.
Question #5: Does the solution offer automation capabilities?
No matter what solution you end up choosing, make sure it offers automation capabilities. Using a security technology that is able to auto-learn the API’s functional behavior and create models that are a perfect fit is priceless. Try to achieve a high level of monitoring and mitigation automation by teaching these solutions the business logic behind your API, and enjoy the elimination of human error alongside faster and hassle-free procedures.
Question #6: How complex is the integration process?
This is a must-ask question when it comes to any security solution, including APIs. A seamless integration process is even more crucial considering the complexity of APIs, and so it’s important to evaluate the vendor’s experience in implementing API-focused solutions. Because the process often includes initial detection by the technology solution which is followed by specific confirmation that is performed by the company’s development team, the entire roll-out process should be considered and not just the first technical integration. You’ll need solid synergy between different teams and the technology to support it.
How does ImVision Technologies stack up?
ImVision Technologies specializes in API protection for enterprises at scale and brings a holistic approach that detects and prevents API-related attacks from the earliest stages. The company’s solution studies the business logic and offers relevant automation capabilities for monitoring and mitigation procedures. Our AI-based NLP technology treats API dialogues as a language and uses advanced algorithms to form cost-effective models that understand the complex in-data relations. We allow CISOs to gain full visibility and control over the entire cycle, from code to production.
As Gartner puts it, protecting APIs using a general security solution is ineffective. Today’s companies realize that they need a solution that considers their specific API requirements, challenges and business goals in order to fully secure their organization. By asking the above questions, they should be able to find the right solution faster and more accurately.