API Security Spotlight: 4 API Risk Factors Your API Security Strategy Must Solve

August 09, 2022

Dr. Nida Davis, Senior Cybersecurity Expert with The Federal Reserve Board, gives you a 4-minute 411 on the 4 key risk considerations for any CISO's API Security Strategy.

Video Transcript

API Security Risk #1

Dr. Nida Davis: The lack of business-driven API governance is a real risk. You know, tinkering with APIs I just from a technical perspective without really kind of working with the business owners, the data owners, making sure that whatever APIs are going to be developed and delivered are anchored and rooted in the business-first principle is a risk. So I would say it's really important to make sure when you pursue an API strategy, make sure that it's business-driven and that the business owners sign off on the levels of risks that they are willing to undertake as you move forward with your API strategy.

API Security Risk #2

Dr. Nida Davis: So lack of enterprise architecture planning for API Security is a big risk. If the APIs are approached as kind of an add on to existing applications, just basically figuring out how to break into the internet without looking at the big picture of all of the layers of defense and depth that you need to secure them, they may become a source of risk for you. I would say it's really important to look at your architecture, look at the big picture and integrate your API security strategy into that. You don't have to invent anything new. Just look at what you have and then just make sure that you connect with that and integrate.

API Security Risk #3

Dr. Nida Davis: Risk #3 is the lack of effective API security controls and those go along the three traditional tribe that we always worry about. As security experts, and from a cyber perspective, the CIA Triad is very important. I've seen in some of the APIs APIs APIs approaches, where they just basically inherit the underlying asset from which they are trying to kind of deliver and APIs transfer the trust or transfer the CIA CIA Triad into the APIs APIs APIs That may not be really an effective approach. I would recommend that you look at the APIs APIs as an asset, an asset to be registered, an asset to be managed, an asset that you would apply your CIA CIA controls and in particular also the triple A services: for authentication, authorization and accountability.

API Security Risk #4

Dr. Nida Davis: I see this as one of the most important risks in the context of cybersecurity. So lack of effective API threat modeling, whether you are threat modeling based on the data flows or whether you are threat meddling based on process flows, whether you are applying the stride or dread however you approach your threat modeling plans, if you don't approach APIs with effective API threat modeling and also API vulnerability testing, you have to really test quite a bit because those APIs are just going to be opening new threat vectors or new surfaces of attack onto the internet. And if they are wrappers around legacy applications, even more so, you really need to kind of focus on this practice of threat modeling and also very extensive API vulnerablility testing That's very important.

Produced with Vocal Video