Securing modern apps in the era of API sprawl

As organizations continue to digitally transform business processes, they are increasingly transitioning from legacy applications to modern, cloud-native apps. These intricate modern apps feature far more APIs than their predecessors: In the past, an average app would usually include 1-2 APIs, but now they typically feature dozens. To make things more difficult, many of these new APIs are deeply embedded and hidden. Securing these APIs (and the larger app environments where they live) is proving extremely difficult.

Several other trends are also exacerbating the problem. For one, these new cloud-native apps are mostly built on microservices architectures. With microservices, apps are chopped up into smaller, disparate components. These components or services are then distributed across various clusters and locations, including potentially multiple public clouds and the edge. In addition, most organizations today employ a continuous software development cycle (including CI/CD) in which engineers are constantly churning out new versions of apps. Each new release comes with new APIs. For example, when a developer fixes a bug in an app, they deploy a new API.

All these factors have combined to create massive API sprawl: Modern apps have more APIs than ever, these APIs are highly distributed via microservices and can be difficult to detect, and software teams are always adding new ones. With this complexity and constant change, DevOps and SecOps are struggling to secure APIs and safeguard apps.

Existing app security solutions and strategies do not properly protect modern apps at the API-level. For example, a web app firewall (WAF) will guard against malicious attacks like SQL injections. But this isn’t a relevant attack vector for modern cloud-native app environments. Traditional point products, such as WAFs, load balancers and API gateways, were mainly designed for app-to-web communication. But cloud-native environments are defined by constant app-to-app and API-to-API communication.

To protect modern, API-driven app environments, organizations need a strategy that reflects this shift and is designed to secure communications at the API-level. To accomplish this, you need to know two things: 1) Which service is talking to which service and what is the context of that communication, and 2) what data is being shared by each API. Existing solutions tell you nothing about the context in which two services are communicating, and they also don’t fully reveal the data shared by APIs as they only inspect the headers of packets and not the body.

A proper app- and API-centric approach to security addresses these needs. Overall, this strategy delivers four critical things:

Discovery: It employs machine learning to discover every API and tell you how services and APIs are communicating at a granular level. This means it reveals who is talking to whom, how much they are talking, what they are talking about, etc.

Analyze: This approach allows you to intelligently analyze current app-to-app and API-to-API communication, providing a sense of what normal communications patterns are. For example, what is a typical request rate? Is it 10 requests per day or 10 requests per hour? What is a normal response size? What data is being shared by an API? Is that data highly sensitive, such as personal identifying information (PII)? Once you understand normal app and API behavior, you can easily spot anomalous activities and determine if they’re malicious.

Secure: Based on the above learnings and using artificial intelligence, this approach will enable you to easily take actions and enforce policies to secure all app and API communication. For example, if you see that an API is unnecessarily sharing PII (such as email addresses or credit card information), it should tell you to block that API from exposing that data. In addition, it will show what a malicious API pattern looks like – i.e. if an API is sending hundreds of requests per minute, it’s probably malicious. Whenever an authorized service makes another request to another authorized service, if it follows an anomalous request pattern, it should be blocked.

With developers constantly adding new APIs, this approach allows you to apply these policies automatically via a single click. Policy enforcement cannot be done manually for these complex, rapidly changing environments.

Deploy anywhere: Further leveraging automation, an app-to-app and API-to-API focus will also enable you to extend these policies to any location, no matter if it’s on-prem, in the public cloud or at the edge.

For cloud-native app environments, organizations should strive for zero-trust security at the API-level. However, enterprises get lots of their APIs from either open source libraries or inherit them from previous development teams. It’s difficult to discover where all these APIs are located and what they’re doing. They’re usually not turned off, but are still operating by default and could be exposing an organization’s entire app environment. An approach centered on app-to-app and API-to-API communication allows organizations to discover all these disparate APIs, modify or remove them, and achieve zero-trust security.

Ultimately, modern apps are like massive jigsaw puzzles. Each microservice is a puzzle piece, while each API is a hook in that piece that connects it to other pieces. Imagine trying to solve that puzzle if many of those hooks were invisible – it would simply be impossible. That’s what trying to protect cloud-native app environments is like using traditional solutions and approaches. It can only be done with a proper API-centric strategy that makes it possible to automatically discover, analyze and secure each API, wherever it may be located.

Photo Credit: Panchenko Vladimir/Shutterstock

Pranav Dharwadkar is a VP of Products at Volterra. Previously, he led Connected Car Product Management at Jasper that was acquired by Cisco. Prior to Jasper, Pranav led Strategy and Operations at Paypal helping drive several percentage point improvements in checkout conversion rate for PayPal’s core checkout product. Prior to PayPal, Pranav held Corporate Strategy position at Cisco where he led acquisitions for Cisco’s Enterprise collaboration technology group. He holds an MBA from Haas School of Business, UC Berkeley, an MS in Computer Engineering from Purdue University, and a BS in Electronics Engineering from the VJTI, University of Mumbai.