Building a modern API security strategy — API testing

Part two of the five-part series, Building a modern API security strategy.

Modern API security embeds security into development for better visibility and accuracy. 

With applications an increasingly critical priority in organizations and the pace of development accelerating, application programming interfaces (APIs) are a vital part of every software application. APIs are not only the connective tissue that holds together the different parts of a piece of software, securing them is a critical priority for any organization.  They're also often exposed directly to the internet and so are easy for attackers to target.  

Further, APIs often have direct access to sensitive data in backend systems.  This makes successful exploits more serious, as there aren't multiple layers of code between attacker and sensitive data. Although securing APIs is a critical priority for any organization, unfortunately, too many companies struggle with application security in general, not to mention complex elements like APIs.

Most organizations include APIs in their regular security scans of software, relying on legacy web application security (AppSec) testing tools to scan lines of code for known vulnerabilities. But your traditional security tools don’t work on APIs: They were designed for web apps, not to test the security of an API. 

Legacy tools weren’t built for the pace and complexity of today’s software development, and they have well-documented problems protecting traditional web applications. Legacy tools perform even more poorly with APIs, for at least three reasons: 

1. Lack the ability to handle the complexity of API code and frameworks
2. Can't handle complex protocols and data formats, like serialized objects
3. No insight into non-HTTP input, such as message queues

Static and dynamic scans simply provide lists of alerts. Given their lack of visibility and accuracy, legacy tools depend on manual security triage by expert staff to diagnose and interpret the results before handing recommendations with limited context back to developers to fix the problems. Once the large number of false positives are weeded out, security teams are left to figure out which vulnerabilities should be addressed first. This inefficiency inhibits software development lifecycles (SDLCs), increases costs and often fails to eliminate many vulnerabilities that can be exploited by cyberattacks.

Modern API security embeds security into development 

To avoid these issues, Contrast Assess with Interactive Application Security Testing (IAST) uses instrumentation to embed security directly into the development pipeline. IAST security solutions deploy agents and sensors that continuously monitor and analyze applications from within as they run in development and test environments, producing real-time analysis as software is being developed and tested. This makes them ideal for Agile, DevOps and DevSecOps environments, as they enable IT to find and fix security flaws early in the SDLC when they are easiest and cheapest to remediate.

Assess automatically identifies and diagnoses software vulnerabilities in applications and APIs.  This instrumentation approach is perfect for APIs. Using instrumentation gives Contrast full context of what's going on inside the code of an API.  Contrast can see the API traffic, code, configuration, framework, libraries, backend connections and much more.  Using this context enables Contrast to detect the behavior of vulnerable code and report detailed findings back to developers for remediation.

Contrast is:

• Fast and accurate
• Good for high-speed development pipelines

Nor does it require:

• Any extra steps,
• Exploits or attacking APIs to detect vulnerabilities, or
• Experts.

Anyone can do it, so developers can test their own code, thereby enabling organizations to release secure software to end users faster and with fewer risk exposures. Plus, it offers the broadest language support in the industry among IAST solutions.

By providing an embedded, scalable, always-on solution that fits seamlessly across development and production environments, Contrast Assess accelerates, simplifies and integrates AppSec for development, ops and security teams. It also uses Contrast sensors to provide real-time vulnerability and attack telemetry throughout application workflows — a major improvement over legacy approaches.

For all these reasons and more, Contrast Security would like to welcome you to the world of modern, real-time, automated, self-protecting software.

The five parts of API security

Last week, we looked at API inventory and why Contrast focuses on runtime inventory. The way we see it: Why bother with never-invoked, dead-weight code that’s just hitching a ride on your binaries?

Stay tuned: Next week, we’ll be looking at API components and how Contrast Security’s modern solutions help organizations manage all their supply-chain components, including APIs, with comprehensive observability of the entire software supply chain. That helps organizations to respond effectively to zero-day attacks — even when patches are unavailable or aren’t feasible to install. Contrast flags security gaps embedded in your software supply chain, be they in open-source, commercial or proprietary code, and scaling across development to testing and on into production environments.

For a guide to all five parts of Contrast’s series on forging a modern API security strategy, check out this overview. 

Also, be sure to check out this discussion between Jeff Williams, Co-Founder & CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they unravel: 

• What the future of API security holds for enterprises.
• What you need to know to secure your APIs.
• Strategies to stay ahead of the CI/CD lifecycle game.
• The path forward to building unified developer and security teams that can build secure APIs. 

To download the recorded webinar: