The use of APIs in modern application development is becoming more prevalent. In particular, the design of cloud-native applications, or applications designed to take advantage of the public cloud infrastructure, is fueling the shift towards microservices-based architectures that rely on APIs.
As a result, security and development teams are focusing on how to best secure their growing API footprint. With many API security solutions on the market, it can be hard to determine which one is the right choice for your organization. Here is a quick checklist to leverage during your evaluations:
1. Can it find all your APIs?
For any API security solution, its ability to secure APIs relies on knowing what APIs exist. Many solutions require security teams to upload API documentation, such as Swagger or RAML files, which define an API. This approach relies on developers properly documenting their APIs, uploading documentation to a common repository (such as Postman), and keeping documentation up to date as the APIs evolve.
Other solutions discover APIs by watching where traffic goes, by monitoring traffic on a CDN or integrating with hardware appliances, including API gateways, web application firewalls (WAFs), or load balancers, where API traffic flows. This requires the AppSec team knowing all the network chokepoints that API traffic flows through, which isn’t always easy in a changing network environment. Not only that, but it is easy to miss traffic to APIs that are publicly exposed but see little traffic.
Checkmarx starts by scanning your application source code, so we can discover all the APIs in your application. This approach does not require APIs to be properly documented (although that’s still good development hygiene), and can be done without having to integrate with your network infrastructure.
2. What about shadow and zombie APIs?
Shadow and zombie APIs are a big challenge with most API security solutions. A shadow API is another name for an undocumented API. Traditional API security solutions, such as WAFs and API gateways, require API documentation to configure protection - they cannot protect what they don’t know. AppSec teams are often not aware of these APIs and refer to these as shadow APIs.
A zombie API is an API that has been abandoned or forgotten. Organizations can inadvertently create zombie APIs when creating new versions of an API. In this situation, organizations often choose to leave the original API in production for a limited time, to ease the migration of users and traffic to the new API. However, they might forget to decommission it after the migration. Zombie APIs may see little traffic after users have been migrated but remain exposed for attackers to find.
Checkmarx helps you identify shadow and zombie APIs by comparing your global API inventory – the full list of APIs discovered in your application source code – with API documentation provided by your developers. This allows us to identify gaps in documentation and work with your developers to close them.
3. Discovering APIs and identifying vulnerabilities
Discovery is only the first step when it comes to securing your APIs. Once you’ve built a full inventory of your APIs, the next step is to identify what vulnerabilities they may have. Runtime solutions such as API gateways and WAFs can tell you what types of attack traffic may be targeting your APIs (and hopefully block it), but they can’t tell you if the targeted APIs are vulnerable to detected (or undetected) attack traffic in the first place.
Checkmarx layers our API Security solution on top of Static Application Security Testing (SAST) to not only discover APIs, but also identify vulnerabilities in your application source code and connect them to individual APIs. Checkmarx provides an API-centric view into your vulnerabilities, allowing you to see a breakdown of detected vulnerabilities by API, so you can focus your efforts on securing your most critical APIs.
4. Find and fix vulnerabilities - earlier in the SDLC
The cost to fix a software problem discovered in production is 100x more costly than if fixed in the design phase, and 15x more than during the coding phase. This provides a powerful incentive to find and fix vulnerabilities as early in the software development lifecycle (SDLC) as possible. However, most API security solutions focus on APIs already deployed in production environments, where identified vulnerabilities are the costliest to fix.
Because Checkmarx discovers APIs and identifies vulnerabilities in your application source code, we help organizations fix vulnerabilities in the coding phase where they can be remediated faster, with less disruption, and at lower cost. Checkmarx also identifies data discrepancies between API documentation and source code to address both improperly coded APIs as well as API drift. And finally, Checkmarx provides an API change log to help you understand the full history of changes to an API so you can understand how risks were introduced over its lifecycle.
5. Standalone solution vs AppSec platform
Modern applications continue to evolve, with greater complexity and more pieces to secure that need more security tools to secure them. Application security teams have more tools than they can properly manage, an issue that is magnified when every tool needs to be managed separately.
Consider API security solutions that simply discover APIs in production environments. Arming AppSec teams with that information is a good start, but those APIs must still be tested to identify vulnerabilities – either the live API with a Dynamic Application Security Testing (DAST) tool or the source code with a SAST tool. And even if the solution identifies vulnerabilities in an API, now AppSec teams must manually correlate identified vulnerabilities with those identified by other tools.
Checkmarx approaches API security as a part of a more holistic approach to application security. Our Checkmarx Oneplatform provides organizations with all of the tools needed to secure every part of the application, including not just SAST, DAST, and API security, but also Software Composition Analysis (SCA), Software Supply Chain Security (SSCS), Container Security, and IaC Security.
6. Automate as part of. your DevSecOps pipeline
As development becomes more agile, development teams are becoming more fragmented – often by design. This allows different developers or teams of developers to work on different parts of an application independently of each other. This also can make it more difficult for AppSec teams to stay on top of changes to the application. In this type of development environment, AppSec teams know that the only way to ensure security checks always take place is to automate scans at different parts of their DevSecOps pipeline.
With Checkmarx One, integrating with any tool in the SDLC, from software repos to build tools, is as simple as a few clicks of the button. Checkmarx integrates with the broadest range of SDLC tools in the industry and, as a unified AppSec platform, integrates all of our AppSec solutions with any SDLC with a single set of integrations.
7. Who's responsible for fixing?
AppSec teams know that their job is to find security vulnerabilities – but not fix them. AppSec teams don’t touch application code and need development teams to fix the vulnerabilities. However, finding the developer responsible for one specific API in a live application can be difficult. That’s one reason why it’s more costly to fix a software issue in production than during the coding or design phases, because you often don’t know who’s responsible for fixing any issue that’s discovered.
But when you find vulnerabilities by scanning application source code, you know who owns the project where the code is found. This makes it easy to assign identified vulnerabilities to a developer to fix. Checkmarx automatically creates and assigns bug tickets for discovered vulnerabilities, automating the process of getting security issues into the hands of the developers who can fix them.
8. Make it easy for developers to fix vulnerabilities
Traditional API security solutions, like WAFs and API gateways, can identify potential exploit attempts in live traffic targeting an API, but they can’t tell you whether a targeted API is vulnerable to any particular exploit. Identifying vulnerabilities in live APIs requires scanning the application with a DAST tool – either as part of a penetration test or automated in the DevSecOps pipeline. But even with a DAST tool, developers still must debug the API to understand an identified vulnerability before they can fix it.
As part of our overall developer experience, Checkmarx makes it extremely easy for developers to fix any identified vulnerabilities, with capabilities such as:
Checkmarx takes a different approach to API security. We help organizations discover all their APIs in code – including shadow and zombie APIs – and address security issues earlier in the SDLC, where they are less disruptive, time consuming, and costly to fix. Checkmarx API Security is available on our award-winning Checkmarx One enterprise AppSec platform, enabling AppSec teams to tackle API security as one part of a broader and more holistic application security strategy.