How to Spend Less Time on Web and API Security

Thank you to Anastasios Arampatzis for contributing this article.

With web and API security becoming an increasingly important aspect of software development, “shift left” is gaining wide acceptance as a best practice to ensure security integrates with development early. More and more cybersecurity companies are releasing relevant products and capabilities, and the practice is becoming almost de facto for engineering teams.

However, the software industry has begun to realize that simply “shifting left” is not enough for a continuous delivery world. High velocity development teams are embracing a security approach where security is addressed starting from the first line of code. This means product security isn’t just delivered by the developer team but is rather owned by them.

Balancing security with development is easier said than done. Many challenges are impeding the process. Developers in communities talk about these challenges and it is wise to listen to them.

Challenges of API Security

Agile Development and Short Lifecycles

“The biggest challenge is that development is agile, and they are using small lifecycles,” says Yiannis Koukouras, Managing Director at TwelveSec. “Developers have a sprint of two weeks to deliver the product with very little time to spend on security. I have seen apps being finished in just eight days and then they only have two days to test the finished product,” explains Koukouras.

“You just don’t have time to build secure systems,” admits stemid85 on Reddit. Businesses are always pushing the boundaries to meet time to market demands, and developers are forced to “do the bare minimum so you can move on to the next task.”

Lack of Perception and Understanding

Many developers do not speak security. Lack of understanding the risk environment ends up on security oversight, resulting in flawed products.

Understanding how to build a secure architecture to support your development is the number one challenge according to faisent. “Production resources should be secure AND scalable AND highly available,” adds robindownes. However, the same individual agrees that “all of my developers seem to think that this is a ‘spin the bottle and pick one’ sort of choice.”

Authentication and Secrets Management

With highly automated deployments, secrets management and tight access controls are essential. Secrets may include API tokens, SSH Keys, privileged account credentials, etc. These might be used by containers, services, employees and many more entities. “Unfortunately, these critical passwords and keys are often poorly managed (exposed) and are frequent targets of attackers,” notes Joy Winter.

Poor secrets management ends up in secrets sprawl, limited visibility into your inventories, opening thus the door to malicious actors to literally log into your app and compromise sensitive data.

The Human Factor

Behind every software project are humans. We need to empower our people to embrace a security culture, and we need to provide them with the tools that can really help them apply security effectively and effortlessly at every step of the pipeline.

How Can Security Teams Spend Less Time on API Security?

The solution to all these challenges is to automate all security decisions, centralize API security management and eliminate the human factor. Instead of having a human to identify and decide on every single case, AI and machine learning can be leveraged to keep track of the fast pace of web API changes. Once security teams deploy automated, sophisticated, and centralized mechanisms they can gain insights to the problem rather than looking for a pattern.

“The best approach will be to do threat modeling, so you know beforehand what kind of security your developers need to implement,” says Yiannis Koukouras. Partnering DevOps and threat modeling makes business and strategic sense because of the data-rich, gated, and iterative development framework that DevOps offers. The Threat Modeling Manifesto starts with four questions that apply to DevOps projects and all phases of the DevOps lifecycle:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

Embedding security within the team can also reduce the time required to secure apps and APIs without slowing down the developers’ pace. “The approach of having a security champion within the team that will take care of questions they have regarding security will help them a lot,” admits Koukouras. Security champions can enforce secure configurations by monitoring the code through automated means.

The Power of Open-Source Tools

Selecting the right tools for your developers is a crucial decision. Open source security tools are a great addition to the team’s arsenal, since they help them address most of the challenges discussed before. However, not all tools are created equal, and there are quite a few open source security tools that are friendly for the hectic pace of software development, but also provide much-needed security controls early in the development cycle.

One of the greatest benefits of open source tools is that they are free to use. You can try a tool out locally without having to commit to it. Instead of lengthy selection processes, you can simply try it out and see how you like it. In addition, and this is particularly critical for security tools, they provide you access to the entire codebase, so that you have full visibility into the features and the actions the tool is performing when running it in your environment.

As a concluding thought, while friendly open source security tools offer great benefits, there is a need to shift existing mindset of tackling the security challenges of API security. We should embrace a mindset of automated orchestration so that developers can own product security without compromising velocity.

About the Author

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years’ worth of experience in managing IT projects and evaluating cybersecurity. During his service in the Armed Forces, he was assigned to various key positions in national, NATO and EU headquarters and has been honoured by numerous high-ranking officers for his expertise and professionalism. He was nominated as a certified NATO evaluator for information security.

Anastasios’ interests include among others cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He is also exploring the human side of cybersecurity - the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible.

Currently, he works as a cybersecurity content writer for Bora Design. Tassos is a member of the non-profit organization Homo Digitalis.