The Home of the Security Bloggers Network
Home » Security Bloggers Network » API inventory: Focusing on runtime code, not never-invoked libraries
By Jeff Williams, Co-Founder, Chief Technology Officer
Part one of the five-part series, Building a modern API security strategy.
You can’t secure what you don’t know. That’s why you need an inventory process.
Most organizations are only aware of a fraction of their APIs. Typically, they grossly underestimate the actual number. Many try to catalog their APIs and even add details and descriptions, but it’s impossible to tally a moving target. Often, APIs are added or changed on a weekly basis, meaning that passive tools or scanners can’t paint an accurate portrait of what’s happening throughout the software development lifecycle (SDLC), from design to production. What results is a pockmarked inventory that only captures a portion of APIs in use.
While it’s important to be able to inventory everything, that’s not where security starts and ends. There’s a lot of noise in the market that mainly focuses on inventorying everything, but, while generating an inventory is useful, it doesn’t actually make anything more secure. As well, existing approaches to inventory don’t work very well.
Traditional API security has involved techniques that suffer from these problems:
Organizations should establish an infrastructure that allows them to continuously discover APIs and then track them over time in order to maintain an up-to-date API inventory — one that prioritizes or risk-ranks your API portfolio in order to help you focus your efforts on the biggest risks.
The modern approach to API security is to get very close to the code: to instrument every layer of the stack. There are products that work at the network layer, host layer, application layer, container layer and API layer.
Contrast tackles the issue of trying to track the moving target of API inventory by zeroing in on runtime inventory.
The Contrast platform works at the application level, automatically identifying any running APIs and apps. That means instrumentation of the entire application layer, including runtime platform, API server, API framework, open-source libraries, custom API code, virtual machines (VMs) and containers. This enables you to automatically maintain a complete inventory of all APIs and exactly what their attack surface looks like.
Stay tuned: Next week, we’ll be looking at API security testing and how modern API security embeds security into development for better visibility and accuracy than legacy scanning tools.
For a guide to all five parts of Contrast’s series on forging a modern API security strategy, check out this overview.
Also, be sure to check out this discussion between Jeff Williams, Co-Founder & CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they unravel:
To download the recorded webinar:
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Cybersecurity Insights with Contrast CISO David Lindner | 7/22
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.
Part one of the five-part series, Building a modern API security strategy.
You can’t secure what you don’t know. That’s why you need an inventory process.
Most organizations are only aware of a fraction of their APIs. Typically, they grossly underestimate the actual number. Many try to catalog their APIs and even add details and descriptions, but it’s impossible to tally a moving target. Often, APIs are added or changed on a weekly basis, meaning that passive tools or scanners can’t paint an accurate portrait of what’s happening throughout the software development lifecycle (SDLC), from design to production. What results is a pockmarked inventory that only captures a portion of APIs in use.
While it’s important to be able to inventory everything, that’s not where security starts and ends. There’s a lot of noise in the market that mainly focuses on inventorying everything, but, while generating an inventory is useful, it doesn’t actually make anything more secure. As well, existing approaches to inventory don’t work very well.
Traditional API security has involved techniques that suffer from these problems:
Organizations should establish an infrastructure that allows them to continuously discover APIs and then track them over time in order to maintain an up-to-date API inventory — one that prioritizes or risk-ranks your API portfolio in order to help you focus your efforts on the biggest risks.
The modern approach to API security is to get very close to the code: to instrument every layer of the stack. There are products that work at the network layer, host layer, application layer, container layer and API layer.
Contrast tackles the issue of trying to track the moving target of API inventory by zeroing in on runtime inventory.
The Contrast platform works at the application level, automatically identifying any running APIs and apps. That means instrumentation of the entire application layer, including runtime platform, API server, API framework, open-source libraries, custom API code, virtual machines (VMs) and containers. This enables you to automatically maintain a complete inventory of all APIs and exactly what their attack surface looks like.
Stay tuned: Next week, we’ll be looking at API security testing and how modern API security embeds security into development for better visibility and accuracy than legacy scanning tools.
For a guide to all five parts of Contrast’s series on forging a modern API security strategy, check out this overview.
Also, be sure to check out this discussion between Jeff Williams, Co-Founder & CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they unravel:
To download the recorded webinar:
*** This is a Security Bloggers Network syndicated blog from AppSec Observer authored by Jeff Williams, Co-Founder, Chief Technology Officer. Read the original post at: https://www.contrastsecurity.com/security-influencers/api-inventory-focusing-on-runtime-code-not-never-invoked-libraries