Protecting The API Ecosystem As A Security Strategy

Cybersecurity is an ever-increasing and advancing arms race. The attackers and threat actors are constantly harnessing new technology and techniques to increase their return on investment. As the defenders of our corporate, public, and private networks, we must do the same. Automation has long been a fear of every worker however as IT professionals we should be embracing automation.

Not to eliminate jobs, but to increase the efficiency of our daily tasks and increase the effectiveness of our security tools. There are several automation tools on the market and open source versions that can help an IT professional reduce the amount of mundane repetitive tasks that we must accomplish throughout the day. Today’s blog focuses on why today’s security and IT professionals should take the time to learn an automation tool, how to automate security testing regarding API, and the importance of API availability.

As discussed in last week’s blog, APIs (Application Programming Interface) are increasingly important tools in IT. As businesses connect their applications with each other and third-party tools, a weak point has emerged in IT infrastructure: API availability. Applications have become very modular, and this has allowed the application ecosystem to become diverse and interdependent.

All these applications rely on API to respond to call and communicate between the various levels. As cloud applications have become more popular and widely used, this dependence has resulted in Facebook and Instagram servers going down (January 2015) and impacting Tinder and HipChat; an Amazon Web Services disruption (September 2015) that caused an increase in faults for the EC2 Auto Scaling APIs; and a worldwide Twitter API outage (January 2016) impacting thousands of websites and apps. Therefore, it is not enough for developers to simply test the API for functionality; those of us responsible for IT infrastructure must ensure the API does not disrupt the ecosystem.

So, as a CISO or security analyst, how does an IT shop go about monitoring APIs? As illustrated by Facebook, Twitter, & AWS disruptions, APIs present a very real security concern. If your organization lacks a veritable army of analysts and bug hunters, how do you address this security concern? The answer is to automate the monitoring of APIs for availability, security, and performance. A critical failure in an API can cause cascading failures across an infrastructure. To pinpoint the issue quickly utilizing automation will decrease the effective downtime for an application resulting in the reduction of lost money.

A useful tool for API automation is Red Hat’s Ansible. While there are a number of open sources to automate this testing, many readers will already be familiar with Ansible for its automation in network and system administration. It has many modules for testing an API, such as:

  • Web service calls
  • Resource calling and load testing
  • Security testing
  • Platform and OS dependency testing
  • Fuzz Testing
  • Run Time Error testing and Availability

While there are many other possible testing strategies, the list above highlights some of the more common testing strategies. As every CISSP student can tell you, there are three fundamental pieces to cybersecurity: confidentiality, availability, and integrity. Therefore, the two testing modules I would deeply cover are security testing and availability because this will encompass two of the three most important aspects of applications and data—confidentiality and availability.

As security incidents become more prevalent, protecting your organization’s data helps to ensure that your organization has a solid future. A crucial key to protecting data is protecting the API. You can automate API protection to increase test & analysis efficiency and effectiveness, just remember to prioritize authentication, encryption, and vulnerabilities.

Cody Jackson

Security Architect at Aquila
Cody Jackson is a leader in the management and design of secure wired and wireless networks. He performs engineering assessments for a variety of commercial solutions. He helps CISOs, IT Specialists, and Security Analysts secure network and enterprise data.

Cody's engineering networking and security expertise broaden AQUILA’s ability to service organizations. Before AQUILA, Cody was a Computer and Information Security Specialist on the Los Alamos National Laboratory Security Architecture and Application Development team. He also worked as an IT Specialist at Western New Mexico University.

Cody earned a Master of Science in Information Systems & Assurance from UNM. He received an MBA and a B.S. in History and Math from Western New Mexico University.
Cody Jackson

Latest posts by Cody Jackson (see all)