API inventory: focus on runtime code, not never-invoked libraries

0

First part of the five-part series, Build a modern API security strategy.

You can’t secure what you don’t know. This is why you need an inventory process.

Most organizations only know a fraction of their APIs. As a rule, they grossly underestimate the true number. Many try to catalog their APIs and even add details and descriptions, but it’s impossible to count a moving target. Often APIs are added or changed on a weekly basis, which means that passive tools or scanners cannot paint an accurate picture of what is happening throughout the software development lifecycle (SDLC), from design to production. This results in a pockmarked inventory that only captures a portion of the APIs used.

While it’s important to be able to inventory everything, that’s not where security begins and ends. There’s a lot of noise in the market that mostly focuses on inventorying everything, but while generating inventory is helpful, it doesn’t make anything any safer. Also, existing inventory methods don’t work very well.

Traditional API security has involved techniques that suffer from the following issues:

  • Passive – Hard to install and impossible to get in enough places
  • Static – It’s hard to map source code repositories to actual production APIs
  • Dynamic – It is difficult to attack APIs and detect vulnerabilities from the response
  • Unique discovery process/static documentation — Cannot keep up with the fluid nature of rapidly added and changed/updated APIs

Organizations should establish an infrastructure that allows them to continuously discover APIs and then track them over time to maintain an up-to-date API inventory – an inventory that prioritizes or ranks the risks of your API portfolio so to help you focus your efforts on the greatest risks.

Contrast focuses on runtime inventory

The modern approach to API security is to get closer to the code: to instrument each layer of the stack. There are products that operate at the network layer, host layer, application layer, container layer, and API layer.

Contrast tackles the problem of trying to track the moving target of API inventory by focusing on runtime inventory.

The Contrast platform operates at the application level, automatically identifying all running APIs and applications. This means instrumentation of the entire application layer, including runtime platform, API server, API framework, open source libraries, custom API code, virtual machines (VM) and containers. This allows you to automatically maintain a full inventory of all APIs and know exactly what their attack surface looks like.

Five Parts of API Security

Stay tuned: next week, we’ll look at API security testing and how modern API security integrates security into development for better visibility and accuracy than traditional analytics tools.

For a five-part guide to Contrast’s series on building a modern API security strategy, see this preview.

Also be sure to check this talk between Jeff Williams, Co-Founder and CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they reveal:

  • What the future of API security holds for enterprises.
  • What you need to know to secure your APIs.
  • Strategies to stay ahead of the CI/CD lifecycle game.
  • The path to building unified developer and security teams capable of building secure APIs.

To download the recorded webinar:

To download

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings over 20 years of security leadership experience as co-founder and chief technology officer of Contrast Security. He recently authored the DZone DevSecOps, IAST and RASP reference cards and is a frequent speaker at conferences such as JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, Enterprise Security Verification Standard. OWASP applications, XSS prevention cheat sheet and many other popular open source. projects. Jeff holds a BA from Virginia, an MA from George Mason and a JD from Georgetown.

First part of the five-part series, Build a modern API security strategy.

You can’t secure what you don’t know. This is why you need an inventory process.

Most organizations only know a fraction of their APIs. As a rule, they grossly underestimate the true number. Many try to catalog their APIs and even add details and descriptions, but it’s impossible to count a moving target. Often APIs are added or changed on a weekly basis, which means that passive tools or scanners cannot paint an accurate picture of what is happening throughout the software development lifecycle (SDLC), from design to production. This results in a pockmarked inventory that only captures a portion of the APIs used.

While it’s important to be able to inventory everything, that’s not where security begins and ends. There’s a lot of noise in the market that mostly focuses on inventorying everything, but while generating inventory is helpful, it doesn’t make anything any safer. Also, existing inventory methods don’t work very well.

Traditional API security has involved techniques that suffer from the following issues:

  • Passive – Hard to install and impossible to get in enough places
  • Static – It’s hard to map source code repositories to actual production APIs
  • Dynamic – It is difficult to attack APIs and detect vulnerabilities from the response
  • Unique discovery process/static documentation — Cannot keep up with the fluid nature of rapidly added and changed/updated APIs

Organizations should establish an infrastructure that allows them to continuously discover APIs and then track them over time to maintain an up-to-date API inventory – an inventory that prioritizes or ranks the risks of your API portfolio so to help you focus your efforts on the greatest risks.

Contrast focuses on runtime inventory

The modern approach to API security is to get closer to the code: to instrument each layer of the stack. There are products that operate at the network layer, host layer, application layer, container layer, and API layer.

Contrast tackles the problem of trying to track the moving target of API inventory by focusing on runtime inventory.

The Contrast platform operates at the application level, automatically identifying all running APIs and applications. This means instrumentation of the entire application layer, including runtime platform, API server, API framework, open source libraries, custom API code, virtual machines (VM) and containers. This allows you to automatically maintain a full inventory of all APIs and know exactly what their attack surface looks like.

Five Parts of API Security

Stay tuned: next week, we’ll look at API security testing and how modern API security integrates security into development for better visibility and accuracy than traditional analytics tools.

For a five-part guide to Contrast’s series on building a modern API security strategy, see this preview.

Also be sure to check this talk between Jeff Williams, Co-Founder and CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they reveal:

  • What the future of API security holds for enterprises.
  • What you need to know to secure your APIs.
  • Strategies to stay ahead of the CI/CD lifecycle game.
  • The way forward to create unified developer and security teams capable of building secure APIs.

To download the recorded webinar:

To download

Share.

Comments are closed.