42Crunch and Microsoft have partnered to provide continuous protection for APIs
Recently 42Crunch and MIcrosoft announced a partnership to address the number one security issue challenging organizations today, namely the large and growing attack surface represented by APIs.
Application security practitioners have come to realize that application security tooling like SAST/DAST and Web Application Firewalls (WAFs) are not optimized to protect against the unique and varied threats posed by APIs. A complementary API-specific security approach is required.
Key challenges according to Gartner ® are “Protecting web APIs with general purpose application security solutions alone continues to be ineffective. Each new API represents an additional and potentially unique attack vector into your systems.”1
By integrating our API security testing capabilities with the runtime protection features provided by Microsoft’s Defender for APIs, we are excited to jointly deliver an end to end API security solution that embodies modern DevSecOps principles.
What is end to end API security?
End to end API security refers to a comprehensive approach to securing the entire lifecycle of an API, from its design and development to its deployment and ongoing operation. A key hallmark of this approach is that API security is a shared responsibility across various teams responsible for build and delivery. Given that security professionals are vastly outnumbered by developers in most companies, making security part of everyone’s job is the only way to scale. At 42Crunch, our mission is to give tools to developers that help them build more secure APIs without sacrificing productivity or agility.
Gartner recommends enterprises “adopt a continuous approach to API security across the API development and delivery cycle, designing security into APIs. Include API security testing and the creation and application of reusable API security policies.”2
The integration of our API security audit and vulnerability testing solutions with Microsoft Defender for Cloud now provides Microsoft customers across all industries with continuous protection of their APIs from design to runtime.
Achieving Continuous API Security
As we discussed in a recent blog post, much of the early attention in the API Security space has been given to API behavior monitoring tools which have produced mixed results. As the space has evolved, security teams have begun to expand the scope of their API Security programs to include developer tooling and security testing. By adding a more proactive approach towards API Security, enterprises have benefited in numerous ways:
- Dramatically reduce remediation cost and risk for issues discovered at development time compared to those found at runtime
- Increase education and awareness of security best practices across the development team
- Achieve broad test coverage at scale through automation
By ensuring that all APIs meet minimum requirements for security and quality before they reach production, security teams can more effectively apply runtime protection using a risk based approach. Through the sharing of security test findings, development and security teams are given a common language to work from. That collaboration is further strengthened when security is able to provide real time insights back to developers around where and how APIs are being attacked and abused.
Pulling it all together
Microsoft Defender for APIs, an offering as part of Microsoft Defender for Cloud – a cloud-native application protection platform, features a rich set of runtime insights that provide centralized security teams with a clear, real time assessment of their API risk posture. This includes behavioral anomaly detection, sensitive data discovery and classification, and API gateway hardening recommendations.
By following the steps for enabling the public preview of this integration, customers can get up and running with 42Crunch and Defender for APIs in minutes. Initially, this integration requires a subscription to GitHub Advanced Security with availability for Azure DevOps soon to follow.
Once enabled, the integration will take all findings from the 42Crunch audit and scan actions in CI/CD and surface them within the Microsoft Defender for Cloud Recommendations blade.
Centralized security teams can combine these insights with the wide range of security findings from Defender for APIs to gain a complete view of the risk and threat landscape across the API lifecycle, thus allowing remediation and mitigation measures to be prioritized and applied more effectively.
“Together with 42Crunch, we bridge the gap of API security from development to runtime and empower security teams to exercise governance over their API ecosystem throughout the development lifecycle.” 3 Vlad Korsunsky, Microsoft
Conclusion
As enterprises continue to evolve their API security programs, there’s no question that most will converge on a strategy that requires close collaboration between development and security teams. The tools that connect these two traditionally siloed groups will need to be easy to use and add value for all stakeholders in order to be adopted at scale.
The first iteration of this integration lays the foundation for API security governance and control across the enterprise. Based on early customer feedback, we are already planning new capabilities that will give developers and security teams tooling to address more complex scenarios. We could not be more proud to partner with Microsoft on this journey.
1 Gartner, API Security: What you Need to do to Protect your APIs by Mark O’Neill, Dionisio Zumerle, Jeremy D’Hoinne, 13 January 2023
2 Gartner, API Security: What you Need to do to Protect your APIs by Mark O’Neill, Dionisio Zumerle, Jeremy D’Hoinne, 13 January 2023
3 42Crunch and Microsoft Press Release, November 15, 2023 Vlad Korsunsky, Vice President of Cloud and Enterprise Security at Microsoft