Last Updated on August 18, 2022
Application development is moving from a web-centric world to an API-centric world. If you’re wondering what that looks like, the security implications, and what an API is in this context, you’re in the right place.
There is no shortage of new application security strategies to familiarize ourselves with as cybersecurity adapts to changing times.
Rob Dickinson, CTO at Resurface Labs, joined us to explain APIs, continuous API operation observability, and prevalent challenges in the API economy.
Deciphering APIs and the shift away from web-centered development
For those who grasp the web-centric world, APIs may take a little decoding. As APIs takes over the application development landscape, security challenges are being compounded.
But what exactly is this new API model?
“From a non-technical standpoint, calling an API is the modern version of calling your stockbroker. It’s app-to-app communication.” — Rob Dickinson
At the most basic level, API is app-to-app communication. Rob Dickinson offers an illustration to clarify how an API works.
He explains that years ago, when someone was interested in buying stock, they would call their stockbroker. The broker would then facilitate the communication and purchase of the stocks by relaying the information and funds provided by the caller.
The caller held power and initiated the transaction by calling the broker. But the broker completed the steps and communications necessary to complete the transaction. An API functions like the stockbroker in this representation.
APIs are how technology interacts with a business on day-to-day levels. Whether in business-to-business communication, internal exchanges, or interacting with suppliers, customers, and partners, APIs define the app-to-app connections that fuel modern communication, transactions, and interactions.
By facilitating communication and the transaction of information, APIs form a powerful, efficient and easy-to-use solution in app development. But there’s a security price to be paid for all that goodness.
Developing stronger SDLC security around APIs
While many understand SDLC as the lifecycle in which software is developed, therefore ending once it has been pushed into production, this needs to change. Instead, an SDLC that includes APIs requires a feedback loop from the production environment to meet dynamic needs and shifting risks.
This better supports enhancements, corrections, and further product development.
“You need feedback loops that actually say what’s happening in production and then feed back into the design process.” — Rob Dickinson
However, to properly secure API systems, it’s vital to develop a plan of transparency.
Unlike the web-centric world, where anyone can visibly analyze a website, API-centric systems are more opaque. While the “black box” nature of API-centric development may have some benefits, it also creates the opportunity for increased security issues and extended time between threat occurrence, identification, and reaction.
If gatekeeping is controlled and API systems are openly analyzed, therefore clarifying APIs and their functions, the potential power of API feedback loops in improving SDLC skyrockets.
Tackling security issues in the API economy
Today’s API-based services have inherited most of the security issues faced by web-based systems. However, APIs also present unique security challenges.
To best address the security challenges in the API economy, the value of transparency arises yet again. Knowing what an API is supposed to do, how it should function, and what data should be accepted and transmitted is foundational to exposing latent threats and vulnerabilities.
Fortunately, experts have developed ways to tackle these threats by adapting web-based security practices and creating innovative systems to defend against attacks. One significant development is custom signature creation without the labor and time investment of going back to the solution vendor to extend the base solution.
Rob explains some of the progress that Resurface Labs has made within the API economy.
“We’ve put a lot of time and energy into optimizing our ability to create custom signatures without custom programming and without having to go back to Resurface as a vendor.” – Rob Dickinson
By providing out-of-the-box signatures that address the most common threats and risks, an API security solution can offer protection that ensures API systems are secure at the baseline. However, custom signatures can also be created to ensure that each system is secure within its unique context.
While the API-centric model may seem intimidating compared to traditional web-centric development, there is hope. By increasing transparency and awareness of best practices throughout the SDLC, API-centric development need not expose orgs to unplanned and/or unacceptable risks.
To listen to the podcast episode on API Security with Rob Dickinson, click here.
Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!