It wasn't long ago that application programming interfaces (APIs) were an abstract concept. Before modern software architecture — today's flexible constellations of specialized microservices and containers that can easily scale up or down — monolithic applications limited both system performance and the speed of innovation.
As organizations grew and more processes were digitized, the many complex interdependencies within a single application frustrated developers, business leaders, and customers alike. Once technology companies shifted to a microservices architecture, the business value of APIs became clear: faster development, faster growth, and happier customers. APIs thus play a critical role in the software supply chain, which is itself increasingly automated and connected through continuous integration/continuous delivery (CI/CD) models.
Today, APIs face a growing number of vulnerabilities, but to secure them it's important to first understand how the role of APIs in the software supply chain has evolved.
Application Life Cycle
The software supply chain represents a fundamental component of the modern application development life cycle, enabling the digital transformation of entire industries. Some of the earliest use cases arose within e-commerce, where interactions were still limited by technical and organizational silos.
As developers shifted to building cloud-based platforms, they increasingly connected and integrated key applications and services within the software supply chain. APIs enabled this convergence of applications, services, and developer teams by acting as the digital intermediary between the supply chain environment and applications. APIs automated routine processes and enabled innovation while improving the end-user experience.
APIs have since evolved from being a mechanism for feeding and analyzing data to managing entire operational and service-related aspects of a business. As the use of APIs matured and organizations increasingly relied on them, a number of changes in the software supply chain resulted, including:
- Communication with data and processes is offered in a more uniform manner, replacing custom data calls.
- The space between the data and the user has been eliminated, speeding up processes and improving user experience.
- APIs provide more documentation transparency than a traditional server, which improves overall security risk assessment and offers new levels of agility, especially to organizations that must follow strict regulations and government compliance guidelines.
Software Supply Chains Under Fire
As industries continue to undergo digital transformation, the cloud continues to evolve. And, as we enter the next iteration of the Web, reliance on APIs are expected to grow. At the same time, hackers are capitalizing on APIs as the latest attack vector. It is predicted that 45% of organizations worldwide will have experienced attacks on their software supply chains in 2022, a threefold increase from 2021.
Today, most organizations have thousands of APIs they don't know about, and they continue to deploy APIs with solutions that don't fully address all modern threats and vulnerabilities. Even with a complete inventory, APIs' behavior and capabilities may be affected by mistakes and misconfigurations.
Unfortunately, existing network infrastructure, including API gateways and Web application firewalls, don't solve this "shadow API" problem. Organizations therefore need to take a proactive approach to securing their APIs. This includes both a "shift left" methodology to increase testing in development and "shield right" action to ensure that APIs — and, thus, the enterprise — are protected as the environment evolves.
Steps to Take to Secure APIs
The first step to securing APIs is to take a complete inventory, including data classification and configuration details. After identifying and inventorying all APIs:
- Analyze them for anomalies, changes, and misconfigurations.
- Leverage artificial intelligence (AI) and machine learning (ML) for automated behavior analysis to identify issues in real time and prioritize them for review by security teams.
- Implement tactics such as blocking API attacks in real time and integrate existing remediation workflows and security infrastructure.
- Actively test APIs to validate integrity before and after they are deployed to production.
APIs are the conduits of today's digital ecosystem, enabling data to be moved in and out of data centers, whether privately hosted, in public clouds, or any hybrid combination of the two. While this means new opportunities to innovate, it's important to remember that, just as customers gain access to an organization through APIs, so do threat actors.