Today’s columnist, Anusha Iyer of Corsha, offers five ways to manage the security posture of machine-driven APIs. (Credit: Stock Photo, Getty Images)

Application programming interfaces (APIs) drive the automation behind software development and deployment processes. While automation has removed a great deal of error from manual tasks conducted by humans and the security vulnerabilities that come with that, risk has shifted from humans to the machines that power these APIs and new attack vectors have been introduced. Where a developer would previously login to an AWS console to spin up an EC2 instance, that infrastructure now gets spun up via code through tools such as Terraform or CloudFormation.

It’s now more important than ever to have clear visibility and responsive control into the identities of the machines that are accessing the organization's APIs. In zero-trust parlance, we call this Non-person Entity (NPE) Identity and access to an enterprise’s systems, services, and data. As Gartner in its 2022 API Hype Cycle Report and Akamai in its State of the Internet Security report discuss, this type of API communication has exploded recently. Yet organizations lack the frameworks to protect and regulate these API-driven ecosystems and secure this automated machine-to-machine communication at scale.

Security teams must shift their focus from “How do we make sure Jill isn’t granted too many permissions in AWS?” to “Do we know the identity of the machines that have API access and do we trust them?” This mindset forces security leaders to treat machines, and the workloads they run, as users just like Jill – essentially have strategies for API Identity and Access Management (IAM). Automation requires engineering and security teams to treat machines as first-class citizens. If identity truly has become the new perimeter in security, then it’s critical to have clear visibility into the identities of non-person entities like machines and service accounts.

This emphasis of securing non-person entities (NPEs) or nonhuman entities in API-driven ecosystems are called out in zero-trust architecture frameworks like NIST 800-207 and CISA’s zero-trust maturity model. Here are the basics of the NIST framework:

A ZT approach is primarily focused on data and service protection but can and should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other nonhuman entities that request information from resources).

So what can DevSecOps teams do today to reclaim the security posture of machine-driven API access? Here a few actionable steps:

Hopefully these strategies are helpful as organizations have conversations and develop strategies around API security, identity, and access. 

Anusha Iyer, co-founder, president, and CTO, Corsha

Threat actor DEV-0796 has deployed malicious browser extensions in an ongoing widespread click fraud campaign targeted at gamers, according to The Hacker News.

For all the talk and how-to guides about DevSecOps, it’s surprising how few organizations have actually managed to implement it and see tangible benefits. To learn why, we’ve asked Invicti application security experts Suha Akyuz and Dan Murphy to name the five most common mistakes that organizations make when attempting DevSecOps.

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.