Bionic Uncensored: API Security & ASPM

Our friends over at OWASP defines API security as a security strategy that focuses on understanding and mitigating security risk associated with APIs. With an extreme focus on securing these APIs, API security tools have been popping up left and right.

API security tools are extremely good at what they do: gathering an inventory of the APIs calls in your environment. But the issue with solely relying on API calls is that there is no context into what those API calls or connected to.

For example, the application microservices, databases, message brokers, and third-party connections are all part of the application ecosystem. This is where Application Security Posture Management comes in.

In this episode of Bionic Uncensored, Matt Rose explores:

  • The basics of APIs and API security
  • Main differences between API Security and ASPM
  • Why it is so important to secure APIs
  • How to better understand your application architecture and how that provides more context to your application ecosystem
  • Why do you need to have more visibility into the application architecture to properly secure APIs?

Watch the full episode (both part 1 and part 2) to learn the main differences between API security and ASPM.

Watch the Full Episode(s)

Part 1

Part 2

Top 3 Takeaways

Takeaway #1: APIs are the Communication Path between Apps

APIs call information from applications, including data and functionality, and share that information with another application. This information can be passed internally or externally, and the critical nature of the API is based on the importance of the information shared.

For example, if an API is calling PII from a database and sharing that information with a 3rd party tool like Tableau or Salesforce, then that is something we would determine as potentially critical.

API Security solutions look to identify and secure that communication path, but not necessarily the applications that they are communicating with or between.

Takeaway #2: Misconfigured, Unauthorized, and Unauthenticated APIs Can Lead to Data Exposure

You have integrated a new third-party application that is going to save your team tons of time. Here are some questions that you have to ask yourself: 

  • How do you know if that API call is configured correctly?
  • How do you know if the API is set to properly authorize access to the right people/applications?
  • How do you know if that API is properly authenticated?

These are all questions that API security tools struggle to answer. This is where ASPM can step in and help you build more context around the APIs in conjunction with the application architecture.

Takeaway #3: Complete Application Visibility is Required to Properly Secure APIs

Once again, we aren’t here to bash API security. They are great at inventory and security of the communication path itself. But to properly secure your applications in production, you must have complete visibility into the services, database, message brokers, and dependencies within your application ecosystem.

ASPM sets out to do just that. Some questions you must ask yourself when securing your APIs:

  • What services are this API communicating with
  • Are those services secure? Do they have any critical CVEs?
  • What kind of data is this API accessing? Is it sensitive data?
  • Are those services connecting to any 3rd party APIs/services?
  • Have the services connected to the APIs drifted from their intended structure or functionality?

These are all questions that API security solutions do not understand. Questions that are necessary for securing your application ecosystem and your APIs.

Want to learn more about how ASPM can improve API Security? Check out our latest blog about how ASPM improves API Security.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform