{"id":11189,"date":"2022-02-15T17:01:09","date_gmt":"2022-02-15T17:01:09","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?p=11189"},"modified":"2022-11-28T15:26:32","modified_gmt":"2022-11-28T15:26:32","slug":"how-developers-can-become-api-security-champions","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/how-developers-can-become-api-security-champions\/","title":{"rendered":"How Developers Can Become API Security Champions"},"content":{"rendered":"<h4><strong>Question: Everyone is talking about DevSecOps, why are we not able to fix the security issues?<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">Despite the obvious challenges, Colin believes that the industry has made progress as compared to ten years ago when very insecure code was prevalent. Today&#8217;s code is definitely more secure and security is improving \u2014 thankfully most developers are at least now aware of what an SQL injection attack is.\u00a0 Philippe also thinks things are improving, however, he sounds a note of caution, mindful of the ever increasing volume of APIs and related attacks he fears it is not obvious that the industry is keeping pace with these new targeted threats. The landscape has definitely become more complicated and things are moving fast. He notes that it is a challenge for developers to keep up with the security guidelines and ever changing threats.\u00a0\u00a0<\/span><\/p>\n<h4><strong>Question: How do we get developers engaged in API Security?<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">Although developers can do a lot to educate themselves about API security, companies and security teams also need to make positive changes to their approach to get the best results and prevent security blockages, security issues and development delays. So Philippe answers this question by looking at each entity individually.<\/span><\/p>\n<p><strong>What can an individual developer do?<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Developers need to have a solid security awareness just like they know how to write code that performs well. They should push for security training to ensure they have the basic awareness of what it means to build secure software. While every developer does not need to be a security expert, they should realize that their actions may have security consequences and consequently need to know who to ask on the security team or who is the security champion on their team.\u00a0<\/span><\/p>\n<p><strong>What can companies do?<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Philippe advocates that companies must provide their developers with the resources to implement security. Sometimes companies are reluctant to invest enough as security is often perceived as an additional overhead, but the benefit of providing development teams with the correct tools, far outweighs the downside, and will save the company money and protect their reputation, and reduce the costs of breaches or expensive security updates.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Companies should afford developers the following:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Time to learn about security because if they never have time to learn about it they will not be able to improve.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Time to build out features securely.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Provide a developer with reference components or patterns that are vetted and validated to be secure.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Philippe is observing an increasing trend amongst early-stage and start-up companies that are adopting a developer-first approach to attempt to get security right from the start, and believes this is already having a tangible impact.<\/span><\/p>\n<p><strong>What can security teams do?<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">The third element to consider is the role played by the security team in improving API security.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Typically the security team brings a long checklist or guidelines and expects the development team to implement all of these checks. They find it difficult to get developers to actually implement the security guidance due to time constraints.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Philippe has come to the realization that this list-based approach is never going to work as you can never expect every developer to know everything on the list and never make a mistake. Instead of having a long list of guidelines, recommendations, and checklists for reaction-based security, he advocates that security teams adopt a collaborative approach that empowers the developer to code in security as part of the design and development process.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In other words, avoid making security an add-on that needs to be done, make sure it is part of the process from the beginning. For Colin, the one thing that has really struck home for him was the term \u201cbuild paved roads\u201d so security teams should not get in the way of developers rather, \u201chitch the security wagon to developer productivity\u201d.<\/span><\/p>\n<p><strong>Netflix Case study<\/strong><\/p>\n<p><strong><a href=\"https:\/\/netflixtechblog.com\/the-show-must-go-on-securing-netflix-studios-at-scale-19b801c86479\" target=\"_blank\" rel=\"noopener\">Philippe shared the following Netflix case study as an exemplary security journey.\u00a0<\/a><\/strong><\/p>\n<p><span style=\"font-weight: 400;\">In 2017 Netflix were faced with a challenge of how to scale their security function \u2014 on the one hand they were facing business challenges to build new functionality faster than competitors, yet were being pressed to raise the bar of security for internet-facing assets.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The key observation the security team made was that developers were faced with too many checklists which caused frustration, and slowed development without any significant security benefit. Certainly this approach was not scalable. The security team pioneered the concept of a \u201cPaved Road\u201d which is essentially a set of standard security features and functions available to development teams for adoption in their products. The security teams would provide an approved, validated security solution as a product \u2014 the example provided is that of the \u201cWall-E\u201d Cloud gateway product which provided standard implementations of common authentication patterns.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The security team then sought out early adopters to embrace \u2018Wall-E\u201d as part of their product, and then reworked their checklists to drive developers toward \u201cWall-E\u201d as a pre-approved out-of-the-box solution. Only when a team had a peculiar requirement that precluded the use of \u201cWall-E\u201d would they use a custom solution which would then require the full checklist. When these exceptions were encountered the security team would enhance the \u201cWall-E\u201d product to include the required custom features. As such the \u201cWall-E\u201d product became all encompassing, and adoption grew within Netflix. Also by understanding the developer intent (what problem were they solving) the security team could further evolve their standard \u201cPaved Road\u201d products.<\/span><\/p>\n<p><strong>Their key takeaways are:<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Build a bulletproof authentication mechanism and make this a part of the standard architecture.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u201cProductize\u201d capabilities to drive adoption and standardization.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Hitch the security wagon to developer productivity.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Understand the intent, and provide value around this.<\/span><\/li>\n<\/ul>\n<p><strong>Who has primary responsibility for implementing API Security?<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Finally <\/span><span style=\"font-weight: 400;\">during a recent 42Crunch webinar <\/span><a href=\"https:\/\/staging2022.42crunch.com\/automate-api-protection-with-security-as-code-webinar-recording\/\"><span style=\"font-weight: 400;\">\u201cAutomate API Security with Security as Code\u201d<\/span><\/a><span style=\"font-weight: 400;\"> we conducted a poll asking enterprises who was the primary responsible for implementing API security. The results are encouraging and indicate that companies are increasingly moving to adopt a developer-first approach to implementing security.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-11417 size-large alignnone\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/Screenshot-2022-02-15-at-16.51.58-1024x512.png\" alt=\"\" width=\"1024\" height=\"512\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/Screenshot-2022-02-15-at-16.51.58-1024x512.png 1024w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/Screenshot-2022-02-15-at-16.51.58-300x150.png 300w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/Screenshot-2022-02-15-at-16.51.58-768x384.png 768w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/Screenshot-2022-02-15-at-16.51.58.png 1236w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\"><strong>Learn how the<\/strong><a href=\"https:\/\/staging2022.42crunch.com\/api-security-platform\/\" target=\"_blank\" rel=\"noopener\"> 42crunch platform builds security into the development process<\/a><\/span><\/p>\n<p><strong>Learn more on the webinar series:<\/strong> <a href=\"https:\/\/staging2022.42crunch.com\/owasp-api-security-top-10-webinar-series-recordings\/\">API Security Landscape Today and the OWASP API Security Top 10 Challenges<\/a><\/p>\n<h4>Speakers:<\/h4>\n<h3><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-11418\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/DrPhilippeRyck_card-300x109.png\" alt=\"\" width=\"300\" height=\"109\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/DrPhilippeRyck_card-300x109.png 300w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/DrPhilippeRyck_card.png 710w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-11419\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/ColinDomoney_card-300x109.png\" alt=\"\" width=\"300\" height=\"109\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/ColinDomoney_card-300x109.png 300w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/02\/ColinDomoney_card.png 710w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/span><\/h3>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Question: Everyone is talking about DevSecOps, why are we not able to fix the security issues? Despite the obvious challenges, Colin believes that the industry has made progress as compared to ten years ago when very insecure code was prevalent. Today&#8217;s code is definitely more secure and security is improving \u2014 thankfully most developers are [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":11523,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"How Developers Can Become API Security Champions","_seopress_titles_desc":"How developers can become API Security champions and how companies and security teams can help.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[16],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/11189"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=11189"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/11189\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11523"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=11189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=11189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=11189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}