Welcome to our latest APIWare project – Sapience! Our team’s response to a growing need for an API-centric security scanning solution. At the end of 2015, the team was looking for our next project, and they asked me for my thoughts on what the biggest need in the API sector was. Based upon my monitoring as the API Evangelist, I quickly responded with “security.”
Sapience is currently in beta, so I wanted to take a moment to share some of the thinking that has gone into the API security scanning solution and the current state of security when it comes to APIs in general. We feel pretty strongly that like security, API security is a very large and daunting challenge, and we all need to work harder to peel back the layers, roll up our sleeves, and get to work on better securing our digital infrastructure that is increasingly being made available via web APIs.
Being API-First Sets Tone For Security
The first stop when it comes to API security is just… well doing APIs, and making them a priority across all websites, mobile, and device-based developed, as well as system-to-system integration. Employing a common approach to accessing all of your digital assets helps ensure consistency, allowing for more accountability as part of overall security efforts – API-first is the first step of any successful API security strategy.
SSL For All APIs By Default Adds Encryption
Encryption is one of the most important tools in our security toolboxes, but unfortunately is also something that still is not the default mode for API providers. Whether its costs associated with certificates and implementation or legacy beliefs around the performance tax encryption can bring, APIs are not always SSL by default, and is something that needs to change – SSL by default is the second step of any successful API security strategy.
API Management Provides Authentication
As I studied the API security landscape, the leading API management providers often dominate the conversation with their ability to secure APIs using keys, OAuth, and other increasingly common approaches. API management is definitely a significant portion of the frontline when it comes to API security, the problem is when the conversation stops here, and API providers are not actively testing and pushing on their infrastructure at this front line.
Securing the Known Universe With API Definitions and Discovery
Another layer of API security that emerged as I studied the landscape was the important role API definitions are playing when it comes to securing API infrastructure. In short, you can’t secure what you don’t know about, and having your API-first infrastructure well defined using common API definition formats, has significantly helped API providers get their overall security house in order.
Automated Scanning For Most Common API Vulnerabilities
After API-first practices, SSL by default, modern API management solutions, and robust API definition and discovery work, we get to where Sapience comes in – scanning this API infrastructure for the most common of vulnerabilities. I know, many of you will want a magic pill that will address all of our security needs, but in our rush to deploy APIs for the rapidly expanding mobile landscape, many companies are not even securing existing infrastructure for the most common threats.
In my monitoring of the space, I regularly come across technology solutions that will provide comprehensive online security solutions, and even more agencies who will help you secure your company’s online presence, but as of January 2016, there were no API-specific, SaaS solutions that help address even the simplest of vulnerabilities when it came to security. This is why I identified security as the number one problem out there, and why the APIWare jumped at the opportunity to develop an API-specific solution to help address the need.
APIs have provided a much healthier approach to defining the digital infrastructure of companies, organizations, institutions, and government agencies for the last 10 years. The next stage of this evolution is continuing to bring security out of the IT shadows and acknowledge that much of this infrastructure is actually running on the open Internet. At APIWare, we want to help lead this conversation, and this is why we started Sapience.
Contact us today to get started scanning your critical API infrastructure today.