�
PREDICTIVE INTELLIGENCE
CISO responsibilities when it comes to securing APIs
Andy Mills , VP for EMEA at Cequence Security , on why API security should be championed by the CISO and how this can be achieved . he remit of the CISO
T is not to fix coding or security issues but to provide the structure needed to limit the potential for those to happen and to ensure measures are in place to remedy them if they do . That equates to putting in place effective policies to govern how people , processes and technology work . That may sound obvious but when it comes to Application Programming Interfaces ( APIs ), it seems that out of sight is often out of mind .
Recent research reveals that out of over 1 trillion malicious API requests captured in 2022 , 50 billion targeted shadow APIs , that is APIs that are unknown , unmanaged and unprotected . This is because organisations frequently underestimate the number of APIs that have been deployed , inevitably resulting in shadow APIs – and this is a problem because an ungoverned API is effectively an open door to the organisation ’ s data .
There are , therefore , a number of steps that should be insisted upon when implementing APIs . To begin with , visibility is a must so it ’ s vital to discover all the APIs that the organisation has , even if these are regarded as dormant . An attack surface management tool can be used to search out all APIs on the network and these should then be assessed for risk and vulnerabilities and registered in an inventory database .
Additional information on hosting providers and the department and assigned asset owners should also be included and the database should be continuously updated in real time to ensure the information remains current , preventing shadow APIs . This can be achieved by implementing runtime inventory but make sure this is vendor neutral and capable of integrating with existing systems , including API gateways , proxies and controllers .
Enforce compliance
Another key concern is ensuring that APIs remain compliant and that specifications are enforced . This means that every time the service comes online , every time the server is rebooted , every time a load balancer spins up another instance , and every time there ’ s a patch or code change , the APIs need
Andy Mills , VP for EMEA at Cequence Security to be fully tested . Such testing must be automated with tests run on a periodic timer and , in the event the test fails , the API should not be deployed and an investigation triggered .
When it comes to authentication , authorisation and encryption , these should not be developed in-house . Open standards such as OAuth 2 and OpenID Connect are tried , tested and widely trusted , while all data communications to the API should be sent over Transport Layer Security ( TLS ). Identity Access Management ( IAM ) providers can also provide access mechanisms for APIs and their endpoints .
As well as encrypting data in transit and at rest it ’ s wise to look at data stored in the backend systems accessed by the API . Unencrypted transaction data stored in temporary files is often stolen in API attacks . API keys , too , should never be embedded in the code or hard coded into the application ’ s source repository . Instead , use environment variables or files outside of the application ’ s source code or even resort to a secrets management service .
Scan all input to the API and validate it to prevent injection attacks . Attackers can easily discover APIs that lack input validation using automated scanning tools but this can be prevented using an existing tested library for validation . Where relevant , XML schema , JSON and SQL validation should also be implemented . Error messages , too , can www . intelligentciso . com
33