Forrester: Why APIs need zero-trust security – VentureBeat

VentureBeat Homepage.cls-1{fill:#ed2025;}.SiteLogo__v{fill:#ffffff;}
APIs today prove their value by driving new digital business revenue growth and transforming decades-old business models. Such APIs have also become a fast-growing threat vector and a nexus of what research group Forrester calls “API insecurity.” What the enterprise needs is to approach APIs from a zero-trust security paradigm.
Evidence of the rise of APIs in DevOps is plentiful, and IT managers have taken note. According to the second annual RapidAPI Developer survey, 58% of enterprise executives say participating in the API economy is a top priority. In some industries, this change is particularly dramatic. The RapidAPI survey indicates 89% of telecommunications executives, 75% of health care executives, and 62% of financial service executives prioritize competing in an API economy today.
Still, as real-time APIs displace traditional approaches to integration and development, it is important to work toward a zero-trust approach that does not rely on perimeter-based security methods.
Forrester’s recent API Insecurity: The Lurking Threat In Your Software report points out that protecting APIs with perimeter-based security fails to stop attacks’ increasing severity and sophistication. Moreover, APIs are an elusive moving target because they are vulnerable to a broader, more complex series of threats than web apps typically face.
API breaches, including those at Capital One, JustDial, T-Mobile, and elsewhere, continue to underscore how perimeter-based approaches to securing web applications aren’t scaling well for today’s APIs.
The Forrester report emphasizes that REST APIs provide direct access to transaction updates without requiring a web app and often stand without sufficient security. In one example cited, a single-page web app that combines APIs and AJAX using an endpoint security model was easily exposed to attackers.
Forrester recommends technical leaders and DevOps teams identify and catalog APIs and endpoints and verify public API security models and API user identities. APIs, including AJAX endpoints, need to adopt a zero-trust security framework now to reduce the risk of large-scale breaches in the future.
Given how pervasive APIs are today, organizations need an overarching API security strategy that scales to address compliance and security challenges while keeping business outcomes in balance. Zero-trust security can address those challenges and is needed to secure APIs throughout the software development lifecycle and into production.
The immediate payoff is that DevOps and security teams will know which APIs exist and which endpoints are secured. They’ll also discover rogue endpoints that put transaction updates and mass data updates at risk. Forrester points out that a glaring lack of endpoint visibility often turns into internal test endpoints deployed into production. Assigning least privileged access and microsegmentation across endpoints, even in internal tests, helps alleviate the risk of an API breach in the future.
The following recommendations illustrate how transitioning to a zero-trust security approach for securing APIs can reduce the threat of a breach:
As API-first integration strategies dominate enterprise software, replacing native adapters and direct database access, the need for zero-trust security is becoming more urgent. Relying on zero-trust security frameworks as the foundation for API governance helps remove roadblocks while alleviating the inherent conflicts between innovative design and compliance.
Getting API governance right brings greater scale, security, and speed to DevOps. With APIs an increasingly imposing threat vector, DevOps organizations need to move beyond treating security testing as an afterthought and instead make it integral to every phase of the SDLC. That will help alleviate the risk of an API breach.
The business benefits of APIs are real, as programmers employ them for speedy development and integration. But unsecured APIs present a keen application security challenge that cannot be ignored.
Learn how to effectively mitigate risk and maximize defense within your networks, cloud services, and endpoints by joining Field Effect on Oct. 26.
Hear from CIOs, CTOs, and other C-level execs on data and AI strategies
© 2021 VentureBeat. All rights reserved.
We may collect cookies and other personal information from your interaction with our website. For more information on the categories of personal information we collect and the purposes we use them for, please view our Notice at Collection.

source