BLOG

When Shift-Left is more than a marketing campaign

Earlier this month I had the chance to join my new colleagues from 42Crunch at our all-hands in Ireland and I couldnā€™t be more excited that thereā€™s something special that weā€™re building here. Setting aside that Cork and Kinsale are some of the prettiest places Iā€™ve ever visited, I was able to see how passionate the 42Crunch team is about an approach thatā€™s new to me as someone whoā€™s been in this space for a while ā€“ developer-first security.Ā  While many in the application security world pay lip service to ā€œshift-leftā€ our team has lived and breathed this approach for the past five years.

If you arenā€™t familiar with ā€œshift-leftā€, it refers to the idea that the earlier you bake security into your product lifecycle (which moves from left to right), the more effective your security will be because security will be inherent in the design of your application. This is not to say that having security on the right where your application is running isnā€™t valuable ā€“ it absolutely is and will continue to be. But if you have the opportunity to shift left the advantages are many:

Shift-Left Shield-Right
Developers precisely define and validate the way users interact with the application. Monitoring and analytics tools try to discern malicious traffic from normal traffic and raise alerts for SecOps to chase down.
Developers consistently follow security best practices as they build the application. Security teams find issues and have to go back to developers to fix them when theyā€™ve already moved on to the next project.
Functional and security testing can happen at the same time because the design encapsulates both. Security testing is done by security using generic and coarse grained tools.

Why APIs are suited for shift-left

One key challenge with shifting left when it comes to web applications is that there is no blueprint that developers can follow to ensure that theyā€™re following consistent guidelines around designing a secure application. This is because applications are heterogeneous by nature and canā€™t be constrained to a set of design standards.

But APIs are different. Since 2015, the OpenAPI Initiative has published standards by which developers can document the design of their REST APIs. These designs are encapsulated in Open API Specification (OAS) files, also known as Swagger files.

Because an OAS file includes everything from authentication protocols to input/output data types to status codes in a machine readable format, it is the obvious place to start when looking for potential security vulnerabilities. Inspecting an OAS file for example might show you that an Array doesnā€™t have a maximum number of items defined, leaving you exposed to an injection or memory overflow attack.

What if there was a tool that could audit an OAS file as it was being written and provide an instant list of security recommendations for the developer to review without having to leave her IDE? As one recent customer put it ā€“ thatā€™s about as left as you can shift!

But how do you get developers on board?Ā 

Apart from the most security minded developers, most wonā€™t go out of their way to use a security tool, especially if it negatively impacts their primary goal ā€“ shipping code quickly. If you want adoption, you must give them something that adds value and saves time while providing security as an added benefit.

This is exactly what 42Crunch has done. Our OAS editor and audit tools provide a ton of time saving features like schema validation and autocomplete. Because of this, weā€™ve seen tremendous adoption to the tune of over 450,000 developers who have installed our plugin from the marketplaces for the top 3 IDEs on the market (up from only 230K at the same time last year). And with security auditing embedded in a tool thatā€™s already been embraced by developers, AppSec teams have an entry point to validate that APIs are being designed securely without blocking or slowing down release cycles.

Cool story bro, but how does this help me now?

You might be thinking to yourself, an API design audit sounds great but I have a ton of APIs in the wild that I need protected now. To answer this I would steal a quote from one of our co-founders ā€“ ā€œHow can you protect what you donā€™t understand?ā€ In other words, you may have a dynamic testing tool or a runtime protection tool that youā€™re considering to secure your APIs. But are those tools applying the context of the APIā€™s design when in use? If so, do they provide any assurance that the APIā€™s design is secure? If not, they are essentially doing guesswork. It may be highly sophisticated AI-driven guesswork, but itā€™s still just guesswork.

Contrast this with the 42Crunch Conformance Scanner and API Firewall, both of which use the context derived from the OAS file when scanning and protecting an API, and you have a best-in-class API security toolset that truly embodies the term DevSecOps. The Scanner validates that your API is implemented the way it was designed and can be seamlessly integrated with all major CI/CD pipelines. The API Firewall enforces a positive security model that only allows requests and responses that align with the APIā€™s design and can be deployed across a wide range of cloud-native environments.

If youā€™ve been reading this far, youā€™re either a family member of mine or youā€™re really interested in what weā€™re up to at 42Crunch. If itā€™s the latter, feel free to contact me at Tom Chang and Iā€™m happy to drone on about all the cool stuff weā€™re working on.

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protectionĀ as attacks on automotive APIs climb within and among vehicle, cloud and mobileĀ  DALLAS and TOKYO, May 29, 2024ā€”VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch Ā to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterpriseā€™s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developersā€™ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.