We’ve made the importance of API security clear during this series of articles, discussed the roles involved and even outlined some of the best practices. Hopefully, at this point, you recognize the need to secure your APIs. You probably have one remaining question, though.
How do I get started?
That is, after all, the right question. But even though it’s becoming increasingly clear that the need for API security is dire, there isn’t much content available that discusses API security and even less practical advice on where to begin your API security journey. We’ll rectify some of that with the steps we’ve outlined below.
Where to Begin with API Security
Enable Your Team to Protect Your APIs
Securing your APIs starts with connecting and enabling the teams entrusted with the heavy lifting. That begins with conversations that include your InfoSec and API group, preferably together.
Typically, API developers and architects don’t feel that they have the expertise to properly secure these services, while InfoSec professionals feel like they are left in the dark about what APIs exist. As an IT leader, you certainly understand that you can’t secure APIs you don’t know about. So, building a bridge between these two groups is essential for success.
This may be a time to be innovative and make the commitment to securing your APIs one step further — adding security experts directly to your API development team. Embedding an InfoSec resource into the team will lower any barriers the group has to open communication.
If, up until this point, your security team has been segregated from the API developers, holding one (or several) knowledge transfer sessions is in order. This will get the conversation going on what can and should be done today and going forward to protect your services.
Perform an API Security Assessment
You can’t lay the path forward until you have your bearings. That’s why an assessment is a next step in the process of securing your APIs.
You have a few options to get this done. You could dedicate resources and do the assessment yourself. If that’s not feasible, or if you don’t feel your team is ready to do a thorough evaluation, you could reach out to Big Compass. We’re happy to help you gain clarity on your API security level and what needs to be done to reach an appropriate level of security.
You can also go above and beyond and bring in someone to do a penetration test on your APIs. This would give you the most comprehensive view of your current state. Combined with the assessment, you’ll have the knowledge needed to move on to the next step.
Develop and Communicate Your API Security Vision
With your teams communicating and with full knowledge of your current API security posture, you’re ready to begin defining your API Security Vision (some will view this as a “proposal”). This plan is a marriage of the information you’ve gathered in the first two steps and the knowledge of your current environment and processes.
You should treat this as you would any other project. Think about:
- Any other metrics you’d use for a project
Once your vision is defined, it will be time to communicate it and garner alignment with your stakeholders.
Implement Your Plan to Improve Your Security Posture
It’s tempting to jump to implementation but getting API security right means laying all of the groundwork that we’ve just outlined first. Once that’s done, only then should implementation get going.
As with the assessment, the best practice is to pull together your team to review your vision and begin putting the security changes and processes in place.
However, many companies need their teams to stay dedicated to current projects that are adding value to the business. If that’s the case, you can hire API security experts, like Big Compass, to come in and review and implement the security strategies you’ve defined in your vision. This has the added benefit of testing your vision with a team that has seen various API security plans, both good and bad.
Gartner predicts in How to Build an Effective API Security Strategy that “By 2022, API abuses will be the most frequent attack vector resulting in data breaches”. Given that, you can no longer wait to plan for API security. After all, 2022 will be here before we know it!
We’ve outlined our recommendation on how to get started above, but whatever you decide to do as a next step, it should involve a plan to protect your APIs.
If you’re still not sure how to improve your security posture or how your APIs’ security measures up, Big Compass can help. Contact us today.