Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
API Security: The Big Picture
Hype won't solve operational security problems. Here are 10 important points to consider when evaluating API security solutions.
December 18, 2023
4 Min Read
Source: Sasin Paraksa via Alamy Stock Photo
Application programming interfaces (APIs) have become a critical part of modern business. They allow businesses to be more competitive and to meet market pressures by pushing capabilities closer to customers and increasing the pace at which a company develops and deploys its applications. Therefore, it is no surprise that many security teams consider API security a top priority in the coming year. It is also no surprise that a host of API security vendors are clamoring for that business.
As with any market that is heating up, security buyers face a tremendous amount of noise, confusion, and, yes, marketing verbiage. Obviously, hype won't solve operational security problems. How can security buyers cut through the puffery and evaluate API security solutions? What are some important points to consider that often get lost in the noise?
In my opinion, it is helpful to consider the big picture, rather than just examine individual features or address issues tactically. Here are 10 strategic considerations when evaluating an API security offering.
1. Multiple Environment Capability
API security isn't very helpful if it doesn't work across multiple environments. We once believed that we would gradually migrate everything to the cloud, but what most enterprises find themselves facing these days is a complex hybrid environment consisting of applications and APIs deployed on-premises, in private data centers, and in multiple different cloud environments.
Managing this complexity has become a heavy burden on enterprises, greatly impacting their ability to adequately secure APIs. Thus, any viable API security solution needs to be able to manage that security across complex hybrid and multicloud environments.
2. Simplified Management
It may be tempting to purchase point solutions for API security for different environments, but this approach adds complexity and yet another tool to learn, operate, manage, and maintain. A better approach is to consider API security as part of an overall platform designed to simplify the management and security of hybrid and multicloud environments.
3. Simplified Deployment
Keeping APIs secure isn't only about defending against attacks — it is also about ensuring the API deployment is simplified and standardized. When it isn't, the potential for human error, oversights, vulnerabilities, and unknown/unmanaged API endpoints increase. It also introduces the risk of getting locked into a particular cloud environment, which necessitates migrating applications and APIs in order to move providers — a costly and tedious process that, if not done meticulously, can introduce serious security issues.
When seeking an API security solution, look for one that is part of an overall platform that also addresses the need to simplify and standardize deployment across multiple environments without getting locked into any one of them.
4. Uniform Security Policy
Policy is also an important part of API security, as is applying it uniformly and universally, in an environment-agnostic way. Uniform security policy application is another key component of the big-picture approach to API security.
5. Discovery and Remediation
Unknown/unmanaged APIs are a huge issue for enterprises. However, API discovery is only half of the battle. The other half involves remediation in the form of inventorying, managing, and securing those discovered APIs. All of this is easier as part of that big-picture API security approach.
6. More Than Just API Gateways
Unfortunately, while API gateway solutions are helpful, they are not sufficient. They do not protect against sophisticated attacks or help enterprises manage their APIs across multiple different environments. They should be incorporated as part of a broader, more strategic approach to API security.
7. Beyond WAFs
As with API gateways, Web application firewalls (WAFs) are also not sufficient against today's sophisticated threat landscape. A variety of security measures are needed to properly secure APIs, including protection against advanced automated attacks, fraud, and targeted attacks. Although WAFs are an extremely important tool, they need to be augmented by a more holistic API security platform that incorporates protection against the most advanced threats.
8. Threat Intelligence
The rate at which attackers learn, evolve, and hone their techniques is daunting. Simply put, it is hard to keep up, making integrated threat intelligence another important piece of the API security puzzle.
Much of this article has focused on protective controls and measures, but security professionals know that they also need detective controls and measures. Continuous security monitoring and incident response require many tools, processes, and training, but they also require visibility in the form of telemetry data. No API security solution is complete without the ability to bring the big-picture component of visibility across multiple environments.
10. The Human Element
Last but not least, API security is not about technology alone. While the right platform with the right capabilities is quintessential to API security, so are having the right processes and the right team with the right training.
As tempting as it may be to focus on tactical features when it comes to API security, doing so is a strategic error. API security requires a holistic approach in which enterprises manage API security and all of the people, process, and technology around it. When security buyers evaluate API security solution providers, it is important that they take into account the big picture and plan for the gamut of issues that ultimately present themselves around the topic of API security.
About the Author(s)
Global Solutions Architect — Security, F5
Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Latest Articles in The Edge
Redesigning the Network to Fend Off Living-Off-the-Land TacticsFeb 23, 2024|7 Min Read
Privacy Beats Ransomware as Top Insurance ConcernFeb 23, 2024|5 Min Read
Library Cyber Defenses Are Falling DownFeb 20, 2024|3 Min Read
Enterprises Worry End Users Will Be the Cause of Next Major BreachFeb 16, 2024|2 Min Read