Do you know your APIs well? Not good enough, says Cisco
Many APIs are freely accessible online, which means that large chunks of your applications are too. Cisco’s Vijoy Pandey offers tools and tips to help businesses gain visibility into their APIs.
There is a light problem in the world of application development, and it is quite a fundamental problem for the operation of modern software: the disconnect between the need for application programming interfaces (APIs) and their ugly reputation as security black holes.
This is not a new issue – we’ve known APIs have been a problem for some time, and we’re now at a point where 91% of business professionals have reported experiencing an API security incident in 2020.
APIs are responsible for taking some of the most valuable data that an organization uses and sending that data, on demand, to another application using the API to decode that data in a way that application can understand and refer to its user. Think of a social media app: this data doesn’t just magically appear on your phone, it’s a Twitter API that takes the data that makes up your feed and sends it to the Twitter app.
Here’s the problem: APIs are of necessity publicly available. All large companies that rely on app developers, whether internal or external, have APIs available that can extract incredibly sensitive information.
Applications that make heavy use of APIs therefore leave a significant portion of their code publicly available online, says Vijoy Pandey, Cisco vice president for cloud and distributed systems.
âYou can pull APIs from the public cloud, from SaaS providers, from Salesforce, or you can have on-premises APIs that you created in a monolithic environment like a Java application. Or, you can run them as a microservice or in a serverless one. It doesn’t matter how, but you’re using APIsâ¦ so your application really relies on the wide open Internet, âPandey said.
The Cisco solution: APIClarity
Cisco introduced a new open source software tool called APIClarity to address what Pandey described as âa plethora of issuesâ surrounding API visibility.
âA lot of people don’t even know what an API is, or how it’s used by developers. They don’t know which APIs aren’t documented, which are deprecated and still in use and many developers don’t take the time to document their own APIs or update the documentation to account for API drift, âPandey said. .
APIclarity’s goal is to eliminate the security risks that come with API visibility issues, and it does so by listening to API traffic and using the data it collects to create an OpenAPI specification for it. this. This is only the first step, said Pandey.
âOnce you have an OpenAPI specification, you can see what an API actually passes, versus what it was originally intended to do. Suppose you want it to pass an integer, but over time. time people started flopping, or you wanted two arguments, but over time people started flipping three or four, and the api spec wasn’t updated. These are clear attack vectors, âPandey said.
Pandey also pointed out that an APIClarity specification allows for API penetration and fuzz testing, puts developers and security teams on the same page, and hinted that Cisco has other projects in the works. who âwill further leverage APIClarity to provide users with additional capabilities. ”
APIClarity is open source and available on GitHub, and Pandey said it is designed to be installed frictionlessly in any cloud native environment. He describes it as a runtime tool that Cisco developed to avoid having to ask users to install another agent. âWe are ultimately trying to cover the visibility of API traffic in your entire environment, and APIClarity is the first such tool to do so,â said Pandey.
API best practices
It’s not enough to identify the flaws and disinfect your APIs with tools like APIClarity. Pandey said there are quite a few things developers and security teams can do to stay up to date on API security and ensure best practices.
First, Pandey offers three tips for keeping APIs and any other application code pulled from another source safe.
- Check out OWASP’s security news regularly. They frequently publish API vulnerability lists and related news.
- Start treating software like any other item with a supply chain, and make sure your software bill of materials traces each item to a trusted source.
- Examine the availability, hosting location, and general reputation of an API in the industry. These are all good indicators of whether an API is reliable and secure.
As for how to implement these practices, Pandey recommends looking for software solutions that tie all of these things together. In addition, he recommends using as few native services as possible from cloud providers and only using managed services instead.
âIf you need something like container management, go with Kubernetes or some other open source product, but offload the reliability of your site and other managed services to the cloud. The more you get from their offerings, the more you get. are stuck, âPandey said. .
If you’re going to stick with native services, be sure to ask the right questions when signing up, like future access, migration, and more, Pandey said.
If you’d like to start integrating APIClarity into your API best practices, you can download it from the GitHub link above, and you can read more about it by watching this APIClarity webinar from the Cloud Native Computing Foundation.