Many APIs are openly accessible on the web, which means large chunks of your apps as well. Cisco’s Vijoy Pandey has tools and tips to help businesses gain visibility into their APIs.
there is weak A problem in the world of application development, and is quite fundamental to the way modern software works: the disconnect between the need for application programming interfaces (APIs) and their terrible reputation as security black holes.
This is not a new issue – we knew APIs had been an issue for some time, and now we’re at a point where 91% of enterprise professionals said they experienced an API security event in 2020.
APIs are responsible for taking some of the most valuable data an organization uses and sending that data, when requested, to another app that uses the API to decrypt that data in a way that the app can understand and return to its user. Think of a social media app: this data not only appears magically on your phone, it’s the Twitter API that takes the data that makes up your feed and sends it to the Twitter app.
Here’s the problem: APIs are available as needed by the public. All the major companies that rely on app developers, whether internal or external, have APIs available that can pull in incredibly sensitive information.
Applications that make extensive use of APIs, therefore, leave much of their code publicly available online, says Cisco VP of Cloud and Distributed Systems, Vijoy Pandey.
“You may be pulling APIs from the public cloud, SaaS, Salesforce vendors or having local APIs created in a monolithic environment like a Java application. Alternatively, they may be running as a micro-service or in a serverless manner. It does not matter how, but you use interfaces API … so your app really sits on the wide open web, “Pandey said.
Cisco Solution: APIClarity
Cisco has introduced a new open source software tool called APIClarity to address what Fendi described as “an abundance of issues” around API visibility.
“Many people do not even know what an API is, or how they are used by developers. They do not know which APIs are undocumented, which are reduced and still in use and many developers do not take the time to document or update their APIs. The documentation to address API drift, “Pandey said.
APIClarity’s goal is to eliminate the security risks associated with API visibility issues, and it does so by Listening to API traffic And using the data it collects to create OpenAPI specifications for it. This is only a first step, Fendi said.
“Once you have an OpenAPI specification, you can see what an API actually transmits, compared to what it was originally intended to do. Suppose you meant it to pass an integer, but over time people started sending flops. Or you meant two arguments, but over time people started going through three “Or four, and the API specifications have not been updated. These are clear attack vectors,” Pandey said.
Pandey also noted that the APIClarity specification allows for fuzzy intrusion and testing of APIs, where developers and security teams are on the same page, and hinted that Cisco has additional pipeline projects that “will further leverage APIClarity to provide users with additional capabilities.”
APIClarity is open source and Available on GitHub, And Fendi said it was designed for installation without friction in any original cloud environment. He describes it as a runtime tool that Cisco has developed to avoid having to tell users to install another agent. “Ultimately we’re trying to cover the visibility of API traffic in your environment as a whole, and APIClarity is the first tool of its kind to do that,” Pandey said.
Best practices of the API
It requires more than just identifying holes and disinfecting your APIs with tools like APIClarity. Pandey said there are quite a few things developers and security teams can do to stay up to date with API security and ensure best practices.
First, Pandey has three tips to ensure that APIs and any other application code extracted from another source are secure.
- Check OWASP Security News regularly. They often publish lists of API vulnerabilities and related news.
- Start treating the software like anything else that has a supply chain, and make sure your software’s materials reporter keeps track of every component to a trusted source.
- Take a look at API operating time, hosting location and overall industrial reputation. All of these are good metrics as to whether the API is reliable and secure.
As for how to implement these practices, Pandey recommends looking for software solutions that tie all of these things together. In addition, he recommends using as few original services as possible from cloud providers, and instead go only with managed services.
“If you need something like container management, go with Kubernetes or another open source product, but lower the cloud the credibility of your site and other managed services. The more you get from their offers, the more locked you are,” Fendi said. .
If you plan to stay with original services, be sure to ask the right questions when registering, such as future access, transferability and the like, Pandey said.
If you want to start integrating APIClarity into the best practices of your API, you can download it at the GitHub link above, and you can learn more about it by Watch this APIClarity online seminar from the Cloud Native Computing Foundation.