BLOG

API Security: separating truth from fiction

Where is the truth and what’s the fiction ?

In this webinar Alexei Balaganski, Lead Analyst at Kuppinger Cole and myself contrasted our experience with customers and prospects and came up with a list of facts and fictions about API security. We both have seen a surge of interest in API security after a challenging 2018: breaches through APIs are accelerating at a high pace and it’s only the beginning.

Here are a few key takeaways from this webinar:

  • The basics are still not covered: many of the issues that occurred last year could have been avoided if proper input and output validation were in place. Do not trust any of the contents coming to you, should that be params value, headers value, requests bodies, or tokens. Validate thoroughly before accepting any request: one of the first thing a hacker or bad bots will do is throwing all kind of bad data to your API and see how it reacts, then collect valuable information depending on how your API responds (such as the framework used to develop the APIs, or the hosting platform). In order to detect such API issues, you should be testing what I call the “hacky path” and not only focus on the “happy path”.
  • Security, development and operation teams are still not collaborating enough to be efficient: none of these teams can do it alone, they need to collaborate. Each team has something critical to bring to the table in terms of knowledge, experience and protection. You can’t properly secure an API with data validation: albeit a key requirement, proper deployment of the APIs is also critical. For example, you must not expose data APIs directly on the Internet.
  • API Security is not a one-off thing: putting some tools in place and forgetting about it is not going to cut it. As APIs evolve, security needs to follow: it needs to be fully part of the API lifecycle, and as much as possible automated. Meet DevSecOps and a culture of including security from Day 1 in your API development strategy.
  • Trust None: most people we talk to understand the need for public APIs security, but in general do not care so much about protecting what they consider as non-public. First of all, public means on public internet. Anything with an IP on the public internet is public, even if you don’t advertise it in a developer portal. Furthermore, even internal APIs must be treated as equally exposed. Why ? Attacks could come an angry employee with a grudge against the company. But that is quite rare. Rather, your colleagues could have been victims of malware, phishing or social engineering. Moreover, your IoT devices (such as aĀ fish tank)Ā could have been hacked!

 

I let you discover other recommendations and advice through the webinar replay here:Ā https://www.kuppingercole.com/events/n40434. I hope you find it informative!

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.