From Risks to Remediation: Building Secure Apps with API Security

In this era of digital transformation, vast amounts of information is available to people and organizations worldwide, almost instantly with a click or swipe. It is worth pausing to consider the security features behind the increasing number of web applications that are allowing this all to happen. What happens if private information leaks, money is stolen, or a cyber virus attacks and all information is lost?

These are the questions that leading organizations are considering when developing the applications they need to maintain their edge in a competitive economy. What are the potential risks and vulnerabilities in these applications, and how can development teams find and address them early on before they are released to minimize the need for more costly fixes when systems are breached?

API security is fast becoming a critical tool in overall application security as a growing percentage of cyber attacks have been focused on vulnerabilities associated with how this interface interacts with a wide array of open-source and third-party integrations.

According to Forrester research, 53% of breaches from external attacks are attributed to the application and the application layer.* When organizations were asked which security practice they were incorporating into their customer-facing applications, most mentioned software composition analysis (SCA), which identifies open-source components being used in software and alerts developers to any known vulnerabilities in those components.

SCA is increasingly being integrated into the existing development lifecycle alongside SAST (Static application security testing). Colin Bell, HCL AppScan CTO at HCLSoftware says API security also has a part in software supply chain security, with IAST playing a growing role, encompassing parts of SCA as well. Supply chain is more a process than it is necessarily any feature of a product.*

Together, these tools provide developers with better feedback and enable them to catch more vulnerabilities in their codebase at even earlier stages in the process. All of this reduces the need for costly fixes down the road.

Effective triage and remediation during the development lifecycle are hot topics in the industry. Auto-remediation is increasingly being looked at as the next big step in helping software engineers reduce the manual work in not only finding vulnerabilities but automatically fixing them as well.

All this is to make a point that API security and related security testing around open-source and third-party components are now priorities for security developers. They are more carefully considering which APIs exist within their platform prior to release. They are adopting a more DevSecOps approach to ensure all aspects of the APIs and related open-source components are tested early in the development process. And the interest in auto-remediation is increasingly leading to discussions around artificial Intelligence (AI) and machine learning, and how these powerful tools can improve program offerings that enable greater cloud security, governance, and overall risk management.

Organizations that are putting this all together have a pretty fierce application security platform to boast about.

HCL Software Customer Experience Executive, Robert Cuddy, predicts that five or 10 years down the road, you will ask AI to generate an application according to the data input and prompts it is given.  And the AI will write code, but it’ll be the most efficient, machine-to-machine code that humans might not even understand.*

SDTimes shares a more detailed account of The Importance of Security Testing in their latest feature covering all things API, security testing and how application security software’s past is shaping the future to become a more risk-averse and technology-forward industry.

* taken from The Importance of Security Testing