Software developers know not to reinvent the wheel. So, they lean on reusable micro-services – and their corresponding application programming interfaces (APIs) – as building blocks for application components.
“Developers want to focus on the added value they can bring instead of rebuilding things that have great solutions out there already,” says Grace Francisco, vice president of developer relations, strategy, and experience at Cisco. “APIs make that easy for developers to consume.”
And they have been consuming: Nearly 90 per cent of developers use APIs in some capacity, according to a 2020 SlashData survey.
The chaotic API landscape
While such an approach toward software development might be more efficient, it also leads to security vulnerabilities that keep CISOs up at night. With the introduction of inter-dependent SaaS, micro-services and internal and external APIs, it is getting more difficult for organisations to control which APIs are made available for internal and external consumption.
Such dizzyingly interconnected cloud-native architecture brings to mind Dr. Seuss’s words from The Cat in the Hat: “This mess is so big and so deep and so tall.”
The mess is also spread out. APIs are often distributed over multiple platforms that can be on-premises or in the cloud. Cloud-native architectures can’t be corralled into one tidy unit with a robust security perimeter.
Worse, APIs themselves have varying levels of security, with some scoring higher marks than others. Both internal and external APIs can be vulnerable and sometimes code can have indirect dependencies on vulnerable APIs.
API vulnerabilities can occur at multiple layers, ranging from the cloud security posture, the images from which the application is built up, the configuration of the cloud-native application, the software that makes up the application itself, and the API implementation enabling the cloud-native application to communicate internally and externally.
Today’s agile development with CI/CD pipelines runs on compressed time cycles leading to more security complications. Two-week sprints are not uncommon.
“You’re building and deploying so rapidly that there are some things you may not catch or understand until it’s actually in a live, running production,” Francisco says. When it comes to security, late might be better than never, but pushing security operations to the end of the development cycle wastes time and effort.
Developers will often use API gateways for lifecycle management of APIs, controlling who has access and the granularity of that access. Gateways can also monitor who’s been in and out, using the services. While gateways provide some measure of security, “there are still gaps that can be left,” Francisco says.
With cyber attacks a constant threat, enterprises are frequently on the line for every line of code they deliver, no matter where it comes from. They can’t afford such chaos with APIs.
Given the liberal deployment of APIs and the increase in the corresponding number of potential attack vectors, APIs’ security components are increasingly coming under the microscope.
“In the modern software development process, there’s a lot more pressure on the API – how it’s built and how it’s deployed,” says Ron Witte, managing delivery architect, cloud, and custom applications, at Capgemini Americas, “there’s a lot more expectation now for code quality scans, security scans, inline testing. The pipeline becomes a lot more complex.”
Cisco’s API security solution
To wrangle the complexity of the API landscape and make it more secure, Cisco adopted a “shift-left” strategy, incorporating security earlier into the software development process.
“Shift-left security is really about prioritising security and bringing it to the top of mind in the day-to-day work of a developer so they can harden their code and [decrease] the threats from cyber attacks,” Francisco says.
An API-for-an-API, a solution for which Cisco won a 2022 CSO50 award, weaves security into the end-to-end cycle for enterprise API services. The tool helps from code development to deployment, live tracks APIs’ security posture while the application is in production and integrates with API gateways. The solution tests API interfaces against Cisco’s security policies.
The end-to-end solution is meant for both developers and DevSecOps professionals. “From a cultural perspective, we have a lot of work left to do to break down the silos between these groups, because they speak a different language and they’re looking at different data points,” Francisco says.
While many tools focus on security, a significant advantage of the API-for-API solution is that it brings all the tools under a common umbrella with a single control infrastructure for developers to gain insights quickly and efficiently.
The tool enables enhanced visibility throughout the workflow so developers and DevSecOps can be proactive rather than reactive, she adds. Equally important, says Francisco, the tool meets both developers and security professionals where they’re at. Developers don’t need to leave their integrated development environment (IDE) to access the tool, it weaves into the IDE.
Having a single toolset enables Cisco to create and deploy its applications in a secure and reproducible manner while providing developers, SecOps and management insights into security.
Components of the Cisco solution
For developers, the open-source tool API Insights sits within the IDE and has a browser-based view. Tools help the developer as they’re coding and pushing to the CI/CD pipeline. API quality is tracked for compliance to preset risk standards.
Cisco selected the Panoptica cloud-native application security platform to collect insights about third-party APIs globally and the potential security threats they pose. It can highlight potential issues with third-party APIs as developers use them.
The tool provides live-tracking and production-level insights as code is deployed into staging, testing, and production.
“It collects insights and data about APIs – such as zombie APIs – as the application is running, to catch security threats,” Francisco says. Panoptica also re-implements features from open-source tool, APIClarity.
Witte reiterates the importance of such security from development and production perspectives. “Having tools in the pipeline that impose proper governance is important,” he says.
API security challenges and rewards
The biggest challenge in implementing the API-for-an-API solution was “to bring together a team of people with different backgrounds and expertise – development, security, and operations – and jointly build an end-to-end application delivery platform centreed around API security,” Francisco says.
Cisco brought together teams from many branches including engineering, emerging technologies, and incubations, customer service, and DevSecOps.
Francisco’s advice to CISOs: “Look for opportunities to bridge the conversations and collaborate a lot closer with the various teams instead of treating them separately. Talk about your respective challenges and arrive at some common vocabulary because language is part of the problem.”
Witte agrees. “Security needs to be everybody’s problem, that starts upfront, you need to build for security,” he says, adding that every developer and architect needs to look at the process from a confidentiality, integrity, and accountability (CIA) perspective.
Baking security into the process from the get-go and corralling all teams’ tools into a central system enables everyone to be on the same page. As Cisco has found, such transparency is a key ingredient for robust security, even as cyber attackers are getting smarter by the day.