Chuck Herrin, Field CISO at F5, stresses the importance of CISOs understanding their API environments. He advises that every CISO should ask 15 key questions about their API posture to strengthen security.
I have a secret I’m going to share with you today. In the half dozen chief information security officer (CISO) roles I’ve held over the last 20 years, only one recruited me due to a breach. One.
The other five were either due to attrition or the incumbent was replaced due to a loss of confidence by key stakeholders. Fully half were replaced due to a loss of confidence, not a breach.
Why CISOs need to understand their API environment
In the realm of API security, we can boil down the need for CISOs to understand their API exposures in a few declarative statements.
First, you need to know four things to create a threat model for a given environment: your assets, actors, interfaces, and actions. In other words, “Who’s doing what, to what, via what?”
Second, the “I” in API is “interface.” Application programming interfaces are widely used across multiple platforms, languages, and frameworks, and nearly all modern software development is API-first. You have APIs in your environment, guaranteed.
Third, if you as a CISO do not have an inventory of the interfaces that expose and serve your sensitive data, whether internally or to your web and mobile apps, you have an incomplete threat model and corresponding blind spots where services and data are exposed.
Finally, incomplete threat models lack comprehensive security oversight and demonstration of due care, two critical areas that auditors and regulators are responsible for ensuring take place. It is their responsibility to make sure assets, actors, interfaces, and actions in a given environment are understood and managed.
Evaluating your API security exposure
Here at F5, we always want our customers to be the smartest people in the room, so we’ve created a quick list of questions you can use to assess the current state of your API ecosystem. By answering these questions now, you’ll be prepared should you be asked later down the line during a field exam or external audit.
I have personally shared these questions with regulators and examiners from multiple agencies. Now that the U.S. Federal Communications Commission has started issuing fines and consent decrees specifically for API issues and the current version of the Payment Card Industry Data Security Standard (PCI DSS) 4.0+ requires API compliance specifically in development, the time has never been better for defenders to have these answers ready at hand.
Even if you can’t answer them all, knowing where you stand and demonstrating a proactive posture is critically important for CISOs. By demonstrating that you’re on top of understanding and evolving your API security posture, you’ll retain the confidence you’ve worked so hard to earn.
Here is the list, from easiest to hardest:
- Who owns API security for our company?
- Do our APIs have owners assigned?
- How much of our revenue comes through APIs?
- How many APIs do we have?
- How many of these are actively used, and how many are dormant?
- How many are vulnerable to the Top 10 most common API issues?
- Do our penetration tests adequately cover API vulnerabilities and attacks on business logic in production?
- Which of our APIs transmit or receive data subject to legal or regulatory compliance?
- Are we seeing malicious traffic? On which API endpoints?
- What is our overall API security risk? Has it improved or worsened from this time last year?
- Are there some development teams that produce more API issues than others? How are they trained and given feedback on API security issues?
- Is there a vetting process for code and API changes before they go into production?
- Who gets alerts on security events detected against our APIs?
- What is the average response time in minutes when a broken object level authorization (BOLA) attack is detected against one of our production APIs?
- And finally, back to the basics at the top of the list—do the people whom we think own API security know and agree that they own it?
Remember, assessing your API environment and the potential threat APIs pose is the first step toward exposing blind spots and tightening your security posture.