Why Developer-First API Security is Prevailing in Enterprise.
The DevSecOps movement has led to a distinct “shift-left” in the enterprise where tasks are moved earlier in the development cycle so that developers can directly address production concerns as the code is being written. Companies are realizing greater business benefits from this shift-left approach, with accelerated application delivery times and the dismantling of a siloed approach to the software development lifecycle (SDLC) leading to closer collaboration between developers, operations and AppSec teams.
At 42Crunch we are seeing this shift-left playing out in real time in the field of API Security with enterprises increasingly empowering their developers to become security champions and enabling them take an active role in the security experience by coding in security at the API design time.
Developers Implementing API Security
During a recent webinar Automating API Security as Code we surveyed 243 engineers from development and application security teams at large enterprises across North America and EMEA. Our results corroborate this trend that a shift-left, DevSecOps approach towards addressing API security challenges is prevailing in the enterprise.
We asked who in your organization is primarily responsible for implementing API Security, with a large majority of respondents (44%) confirming that their development teams are leading the charge when it comes to API Security. Security teams are a distant second with 24%. Note this finding is also consistent with the results of a Gartner poll conducted last summer during a webinar delivered by Mark O’Neill and Dionisio Zumerle which confirms that this trend towards a developer-first approach is growing in popularity. This of course does not preclude the role of security acting in an advisory and oversight capacity.
Tooling a Developer-First Approach to API Security
Such a developer-first initiative will not work without the correct tooling that enables developers to address security at the design-phase of the SDLC. Rachel Stephens of analyst firm Redmonk sums it up neatly in her recent post about Developer Experience is Security:
“Security teams need to have a stake at the table earlier. They cannot merely be a review process before production, and they need to be able to have input at the design phase of an application. Similarly, this culture change cannot exist without supportive tools for developers.”
Initially enterprises have attempted to use traditional API Gateways or Web Application Firewalls and Static and Dynamic Application Security Testing Tools (SAST & DAST) to solve the task of securing their APIs, but as Colin Domoney pointed out these application security tools are not up to the task of securing APIs at scale. Furthermore, these tools are not focused on remediation and provide next to no proactive guidance to help developers implement adequate security.
When it comes to APIs, developers need easy to use tools that ideally run directly inside their Integrated Development Environments (IDE) such as Visual Studio, IntelliJ or Eclipse, so that they can easily inject security directly into their Continuous Integration/Continuous Development (CI/CD) pipeline.
42Crunch is the first dedicated API Security vendor to solve this problem with our Developer-First API Security platform. It is purpose-built to enable developers to build and automate security into their API development pipeline. Yet, it also gives security teams full visibility and control of security policy enforcement at every stage of the API lifecycle. We provide automated tools to easily secure the entire API infrastructure by describing security in the API contract, and enforcing those policies throughout the entire lifecycle. By delivering security as code we enable a seamless DevSecOps experience, allowing innovation at the speed of business without sacrificing the security of APIs.
Conclusion
As more and more companies embrace DevSecOps and a shift-left approach to securing their APIs they are realizing a myriad of benefits including: removing bottlenecks in scaling their API security, reducing costly licensing of redundant security technologies and accelerating the time to roll out new applications and services built on secure APIs
