Security
Reader small image

You're reading from  Defending APIs

Product typeBook
Published inFeb 2024
PublisherPackt
ISBN-139781804617120
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Colin Domoney
Colin Domoney
author image
Colin Domoney

Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.
Read more about Colin Domoney

Right arrow

Implementing an API Security Strategy

This book’s final chapter focuses on applying the knowledge you’ve gained over the last 12 chapters to create a comprehensive API security strategy for your organization. Your strategy will depend on your current position and your security goals and will largely be influenced by your organizational structure, particularly who owns APIs and their security. In the first section, we will examine typical organizational stakeholders and how their roles and responsibilities must be aligned as part of your strategy. We will then examine the 42Crunch API security maturity model to understand the six domains of API security and what maturation looks like for each domain. After, we’ll dive into rolling out your API security strategy, firstly by planning your objectives against the current state and capabilities and, secondly, by running your strategy as part of your daily process. Finally, we’ll conclude this chapter –...

Ownership of API security

Your API security strategy cannot exist in isolation from your organization’s API business and development strategy. As a security leader, you must understand the other stakeholders responsible for API strategy and delivery to ensure that your security strategy aligns with their objectives.

Ownership of APIs tends to vary from one organization to another, and there is no hard and fast rule regarding how it is assigned. In the Further reading section, there is a reference to a blog post from MuleSoft that describes a typical pattern for API ownership; we will use this to frame our discussion. This is shown visually in Figure 13.1:

Figure 13.1 – API ownership model

Figure 13.1 – API ownership model

There are three main API owners in this model:

  • IT-owned APIs: This ownership model aligns most closely with traditional IT systems where the IT department wholly owns the resources. These are core services such as infrastructure provisioning or...

The 42Crunch maturity model

In my time as a technical evangelist at 42Crunch, I formulated a six-domain API security maturity model that has proved to be popular with customs in determining both their current security posture and their roadmap toward a more secure posture.

The maturity model features a set of activities for each domain, which may exist to varying degrees based on maturity. For this discussion, we will bucket the activities as non-existent, emerging, or established.

Inventory

An up-to-date and accurate inventory is key to maintaining visibility into the exposed risk and attack surface.

The adage “you can’t protect what you can’t see” applies perfectly to API security. As APIs grow exponentially, fueled by business demand, it is increasingly difficult for security teams to maintain visibility of what APIs exist and what risks they expose.

Three elements are key:

  • How new APIs are introduced and tracked in the organization...

Planning your program

Now that you have examined the key topics of API and API security ownership and have the foundations of a maturity model, it is time for the rubber to hit the road as you begin to plan your program.

Establishing your objectives

Simon Sinek’s seminal TED talk Start with Why inspires leaders and organizations to understand their motivation for what they do and the importance of the “why” they do what they do. The same can be said for establishing an API security program – without clear objectives or raison d’etre, your program may flounder and fail. You need to understand the compelling reason(s) for implementing a change program of scale. Perhaps you process medical records and cannot risk an API breach disclosing patient data. Or maybe you are a payment processor that is bound by strict regulatory requirements. Or perhaps you are an “API-first” company whose very business succeeds (or fails) on the strength...

Running your program

Once you have established your program’s goals and identified your stakeholders, you can start running your program. To do that, first and foremost, you need a team composed of the right people for the job. The trick is to find the right people; let’s look at some approaches.

Building your teams

First up, you need to build your own team who will work to achieve your objectives. Adam Shostack has written an excellent blog on the topic (see Further reading), and his perspectives reflect my reality of having built several large-scale AppSec programs. The key point is the hardest one to grasp: to build an AppSec team, you do not need a team of AppSec specialists. Shostack expresses it perfectly: “by using exceptional talents doing over-specialization.” While securing software has an obvious technical element to it, by far, the biggest challenges are human-centric. You will, above all else, require the buy-in and cooperation of your...

Your personal API security journey

We are now at the end of this book, but that does not mean that your personal API security journey has concluded. I would like to think it has only just started. APIs and API security are rapidly evolving domains, with new technologies (such as GraphQL) posing new risks to organizations. Hopefully, this book has given you a solid foundation in the basics of API security, how to attack APIs, and, most importantly, how to defend them.

To keep up to date on all breaking news relating to API security, including breaches, views and opinions, tools, and techniques, I would recommend the bi-weekly newsletter I curate at APISecurity.io (https://apisecurity.io/).

If you prefer a more tactile, hands-on approach to learning, then the good folks at APISecurity University have several online training courses on various API security topics (https://www.apisecuniversity.com/).

Happy learning!

Summary

This brief chapter covered the very important topic of building an API security strategy and saw the theory we have learned about API security applied to real-world API development. Understanding who owns your APIs is important in understanding how to drive the messaging around the need for API security. A broad-based approach involving the CISO or IT security organization and their colleagues in the API product development teams is likely to produce the best results since this will include API security touchpoints across all phases of the SDLC.

First, we learned how to plan an API security initiative by understanding our objectives (the “why”) and then understanding our current state to form our strategy. We then looked at running a program, focusing on the critical step of building our team and selecting our KPIs to gauge our progress.

Finally, your own continued learning is important for staying on top of emerging threats and changes in technology landscapes...

Further reading

These links provide further reading on the ownership of API security:

These links provide further reading on the 42Crunch API security maturity model:

These links provide further reading on planning your program:

These links provide further reading on running your program:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 17 of 19
Next Chapter
You have been reading a chapter from
Defending APIs
Published in: Feb 2024Publisher: PacktISBN-13: 9781804617120
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Colin Domoney

Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.
Read more about Colin Domoney

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages