A CISO’s Essential Guide to API Security
Today we released a new resource for security leaders — “A CISO’s Guide to API Security.” At Salt Security, we have always put education front and center in everything we do. We made a conscious decision to focus on market education starting from our founding in 2016. Last year, we strengthened that commitment with the formal introduction of Salt Labs, a public forum for publishing research on API vulnerabilities.
In this new guide, we take a close look at the special challenges CISOs face with increasing API usage and evolving security requirements. Digital transformation has driven unparalleled business opportunities. Yet, at the same time, the APIs powering all of this digital transformation have expanded security risks.
Our guide outlines why APIs present CISOs with the biggest risk in their technology stack.
Many enterprise companies from Parler and Experian to Facebook and Peloton have suffered API incidents. The costs of these types of attacks can be crippling to a business, affecting consumer trust, reputational damage, and loss of revenue.
We work with security leaders every day. We talk with them about their biggest concerns and what led them to invest in API security. Their stories reinforce the importance of our educational efforts.
Security leaders know that the API environment is dynamic and expanding rapidly. As API usage increases, so does the attack surface.
“The scope of the APIs is constantly growing. We are always adding new APIs to introduce new features. We are providing APIs as our product, and security is going to be an important part of that product.” David Biesack, Chief API Officer at Apiture.
In our new guide, we provide CISOs with focused insights on the three pillars of API security, including:
- Visibility
- Runtime protection
- Remediation insights
API Visibility
If CISOs don’t have visibility into their APIs, they can’t understand their full business exposure or adequately prioritize their risk management.
Tyler Warren, Deputy Information Security Officer at real estate leader Prologis, put it this way in our recent CISO panel at the API Security Summit:
“You can’t really protect anything that you don’t know about, so an important job of security is inventorying what you really have for asset management. Nobody likes being wrong, but I think my guess at APIs we had was off by a factor of ten of what was actually out there, as opposed to what I said we had.”
Runtime Protection
Security leaders must have the ability to see their APIs in action in order to spot trouble areas. APIs are not just straight code. You need to see APIs being exercised to identify logic flaws. This requires continuously monitoring APIs to identify any patterns and to understand what’s normal versus abnormal behavior. Only with this level of context will organizations be able to identify malicious behaviors.
Remediation Insights
Runtime insights are also important to bring your API security learnings back to the development team, so that they can take those learnings and apply them to harden APIs as they are building them.
In addition, it’s worth noting that a CISO’s success doesn’t rely on these capabilities alone. APIs span all areas of an organization. Security leaders must build a strong security culture throughout the organization, so that everyone understands what is at stake when it comes to API security. APIs are the entry point to your organization’s most critical data and services. Their protection is crucial to reduce risks, maximize program value, and generate growth.
Salt Security is the pioneer and industry leader in API security. We are committed to making your APIs attack proof and accelerating business innovation. Education is a key component of that effort. We hope that you find our new and complimentary guide informative and helpful as you look at implementing API security within your own organization.
If you would like to learn more about the Salt Security API Protection Platform, feel free to contact us or request a customized demo.
*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Jennifer Dignum. Read the original post at: https://salt.security/blog/a-cisos-essential-guide-to-api-security
