Tracing your API and application security — all the way: A matter of belief or AI?
Let’s say you are a product manager, IT manager, or an architect in charge of a modern web application. Whether you know it or not, you have APIs.
Who do you think is taking care of your application, infrastructure, and API security? Your developers? Your network admins? Or do you think you are safe when you have had a security audit in one of your new applications? Well, unfortunately, none of these are correct answers. The world of software is getting more distributed, more complex, and ever-changing.
A big part of APIOps is to automate your API development and management. And a considerable part of API management is security and compliance by design and in run-time. In the APIOps Cycles method, the API audit checklist is one way of making sure that you are publishing a secure API. Some have even automated parts of the audit, and code is checked with every commit. But what happens when your API, the microservices, infrastructure, and backend-systems are out there live in the production environment?
We compared notes in a private demo with some industry experts and Sanjay Nagaraj from Traceable.ai. If you are a CIO, IT architect or a product manager, this is the stuff you should worry about:
Your firewall rules are never quite up-to-date with your code changes. The release cycles are different, and change management doesn’t cover all aspects.
Product owners or security admins don’t know what version of API is published. Nor are the APIs meeting requirements or not.
Most companies have now woken up to block typical security errors (static OWASP or network threats). But hackers are also getting smarter. Your existing stack or best practices might not cut it anymore.
Distributed systems have layers like an onion. Except it’s more like a spider’s web, where root-cause analysis becomes nearly impossible.
So, what can you do? What can you fix? You put a firewall and an application firewall on top of the application. You install API management, put token-based authentication and identity server in place, and do security audits on every major code update. Your developers use libraries that block most known OWASP threats, which they confirm with static analysis. You and your team might do a few other things, too. But the bottom line is, you still might expose your APIs and your data because some area of the architecture is leaking and you don’t realize it.
A big problem in the industry is that proper security requires cooperation from many professionals. You need to design your security and make sure it’s fit-for-purpose; it doesn’t just happen. APIs have mixed up the deck since they are often undetected and not adequately understood. Most architectures also contain layers of APIs. The security brought by API management tools might only cover the outer layer. This is true if the APIs are usable only via the API management, which, by the way, is not always the case. GraphQL, gRPC, AsyncAPI, and other new API technologies are bringing new problems. So are machine learning APIs and IoT? How will you keep all of them secure when code might be released many times a day and hackers are evolving?
One of the solutions is intelligent and all layers covering security. Sanjay Nagaraj explains how Traceable.ai, a solution released in July 2020, handles these problems: It includes user behavior, API activity, data flow, and code execution all at once.
We gathered in an industry expert private demo and everyone in the online meeting was quite blown away from the possibilities. We were even thinking ahead to new, even broader use cases. We saw how many threats were currently in each layer. We were able to look at which user accounts were behaving suspiciously and against business logic. It may sound trivial to see, what data was being handled, and if there were some anomalies detected. But really, there have been quite many tools in planning similar to this over the past 12 months. None of them has been able to do the job right. So this tool looks quite promising.
Tessa Viitanen, a Finnish long-time security, and compliance expert, pointed out that the algorithms and methods of filtering traffic in traceable.ai were more comprehensive and also suitable for a level of compliance management. Sanjay and his team confirmed that Traceable.ai covers the features traditionally handled by external audit trail logging and actively blocks or reports unwanted traffic.
The group even discussed if using a smart, learning tool like this would be guiding the companies into unsafe practices, like allowing the developers to publish APIs that were not safe to publish. But unfortunately, this happens quite often anyway and mostly undetected by anyone. Or vice versa, organizations are so afraid to publish any APIs that even those intended for public or partner use never make it. Wouldn’t it be better to have a tool that exposes even the potential threats and shows the things that need fixing?
One important thing about this type of tool is how easy it is to deploy. For example, Traceable.ai can be deployed in many ways and in minutes to a few hours: next to your API management tool, as a sidecar, agent, etc. Traceable.ai released an open-source project called Hypertrace that provides the observability platform features for collecting data from distributed systems. There isn’t a good reason not to start trying these automated tools to keep your applications even more secure. It doesn’t take away the fact that you need a team that knows what it’s doing. The team needs to understand how to create secure, and well-designed architecture, that fits the business purpose.