The question of how to secure APIs becomes an ever-more-relevant one as APIs proliferate. Which is the right way? Do companies require external API Managers to get the job done, or is a security-centric solution just as good – maybe even better?
While API managers ‘get the job done’, there are several reasons to not jump the gun and maintain a closer watch of API security. Here are a few things to consider when weighing the best option for securing your organization’s API ecosystem.
Threats to APIs
While companies might still be vetting which type of API security solution is best, there’s no question that some type of solution is needed. According to research by API security firm Salt,
- 59% of respondents experienced application rollout delays from API security issues
- Vulnerabilities, authentication snags, and sensitive data exposure are the top 3 API security concerns
- Zombie APIs are the future threat trend that worries organizations the most
- 77% say their existing tools aren’t enough to secure their API environment sufficiently
- API attacks spiked by roughly 400% in the latter part of last year
The need to lock down API portals, API gateways, and API endpoints is apparent. As a hub for sensitive B2B communication, application programming interfaces face a considerable amount of attention from threat actors looking to capitalize on big opportunities and an often-muddled sense of security.
API Management – Pros and Cons
In order to simplify such a complex process, organizations often turn to API management platforms. These all-in-one technologies attempt to take on the burden of all aspects of API security, from governance and compliance to analytics and reporting and everything in between.
While on the surface that seems convenient, there are a few downsides to consider. Since API managers are not built only for security, it can be argued that the security elements are not as attuned as they would be in a specialized API security platform. API managers devote a lot of bandwidth to other areas, such as building and designing, onboarding, distribution, and automating elements of the API build process. With so many capabilities devoted to other aspects of the API lifecycle – particularly to developer-centered aids – API security can be seen as just an afterthought.
As an example, the typical API management platform can include all the following implements:
- Analysis that assesses the value of all ecosystem APIs
- API onboarding via the developer’s portal
- Definition and publication of all APIs
- API traffic management (API gateway)
- Security – typically based on API schema enforcement
- Ongoing oversight and maintenance of entire API lifecycle
API management platforms provide clear value, but when it comes to security, they are “necessary but insufficient.” They simply can’t detect today’s API attacks. Organizations focusing on API security will need a tool, solution, or provider that specializes only in that area.
The Case for In-House API Security Tools
Security-specific API platforms provide a granular level of care for niche API security issues. Rather than providing an all-in-one management product that features security elements thrown in, they represent a focused approach to addressing API-centered threats such as the ones mentioned in the OWASP API Security Top 10.
Methodologies include specifics in all five areas of the API lifecycle:
- Identifying security gaps with OAS (previously ‘Swagger Specification’) analysis
- Scoping out flaws in business logic during the pre-production phase
- Customizing API security testing based on API patterns
- Discovering shadow and Zombie APIs
- Identifying cases of exposed sensitive data
- Classifying data in API calls and subsequent responses
- Establishing baselines for normal API behavior
- Identifying and blocking all OWASP API Top 10 threats
- Pinpointing gaps in OAS documentation
- Testing production APIs for security gaps
- Keep developers updated with remediation insights learned in runtime
An API security platform can provide businesses with the immediate time-to-value that they need when combatting API-specific threats. Once deployed on your environment, some can both assess and significantly reduce risk within a matter of days. Then, remediation and testing take place in which these same solutions implement controls to reduce further risk.
The Right Tool for the Right Job
It’s easy to want to find the fastest, simplest-sounding solution to a host of API-centered problems. API managers are a great way to find a lot of services all in one place. However, if a critical element like API security is not attended to with the proper focus, insight, or expertise, a second problem could be created by implementing a less-than-ideal solution.
API security platforms offer a focused, protections-based approach to addressing the problem. Companies that invest in an API security-only solution get the benefit of not only technology singularly focused on addressing API security but also a team of experts to support them in crafting their strategy.
For teams with no current API security implementation, an API manager is a start. However, when organizations are ready to level up and take API security to the next level, it might be time for a more security-centric approach that comes with a dedicated API security platform.