What happens when an unstoppable force meets an immovable object? It’s a classic paradox, but anyone who has witnessed the relationship between SecOps and DevOps teams in any enterprise may have an inkling of how that might unfold. There is nothing new about the contentious relationship between these two groups. On the one hand, DevOps is responsible for building the company’s greatest and most impactful innovations – as quickly and inexpensively as possible. On the other hand, SecOps is tasked with ensuring every piece of data, line of code, application, website, and cloud-based architecture that the enterprise manages is fully protected.
Digital gunslingers vs. the party of ‘no’
For SecOps, DevOps teams are the gunslingers of the digital frontier; spinning up new application programming interfaces (APIs), containers, and functions – all connected to an expanding array of databases, creating a “black box” for SecOps and caring more about getting their project done than for ensuring the data is secure. To DevOps teams, SecOps is the “party of ‘no’” – a big obstacle preventing them from doing their work.
Today, the growing range of APIs is further feeding the tension between these two factions. SecOps teams have a difficult time gaining visibility into API transactions because API schemas are often lightly documented and subject to frequent changes. Meanwhile, DevOps teams must have the freedom to rapidly adjust APIs to meet changing business needs without having to manually update API specifications for security testing and policy definitions. As much as the SecOps team wants to keep a watchful eye on the behaviors of the dozens or even hundreds of APIs operating within their network, today’s conventional API security methods slow DevOps down and make the organization less efficient overall.
Historically, applications were deployed under the assumption they would be protected by the network perimeter. As modern software development has shifted into cloud-native architectures and established a greater reliance on APIs, this traditional concept is less effective and leaves the process exposed to additional security vulnerabilities. APIs are not going away. They are, in fact, the connective tissue that binds modern, cloud-native applications together. At the same time, APIs are introducing more cybersecurity risks to the organization. By 2022, it’s predicted that APIs will become the most frequently attacked enterprise web application vector. So what can SecOps teams do to ensure they have the visibility they need into the enterprise’s data estate so they can apply security policies across the board and automate an API protection process without slowing down the DevOps teams?
The feedback loop that discovers, monitors, and secures APIs
SecOps teams can achieve the visibility they need into the enterprise’s data estate by natively integrating all data sources into a single, easy-to-use platform. They can do this automatically and without disrupting DevOps teams. For API security, SecOps teams must make DevOps teams partners in the creation and execution of their security strategy. To start, create an effective feedback loop between DevOps and SecOps teams – a development security operations (DevSecOps) approach – designed to help DevOps and SecOps work in concert to get API security risks under control.
By establishing and implementing a feedback loop between DevOps and SecOps, organizations can streamline application release workflows and enable developers to focus on delivering an optimal digital experience, while providing the SecOps team with visibility and control over the application runtime.
The ideal feedback loop should encompass three critical domains: discovery, monitoring, and security.
- Discovery: Maintain an always up-to-date API inventory with contextual data labels. Ideally, this should be done autonomously with an unobtrusive solution that continuously keeps the API inventory up-to-date with data security classifications. For some, discovery simply entails mapping API service endpoints, but that’s not enough. Instead, you need to know what data each API is accessing — and shift to a data-centric approach to API security.
- Monitoring: Generate developer-sourced specifications and check against security best practices. Functional or regression testing is monitored to validate specifications or to generate specifications if they’re not available. Enabling automation ensures protection can keep pace with application changes without manual intervention. That way, new APIs discovered during runtime are checked in the next cycle while API calls in testing help prepare the runtime model.
- Security: For API-first apps, API specification is always completed and updated before actual implementation. For other applications, API specifications can be used as a reference, but dynamic discovery is needed to ensure the actual implementation and API specifications are in sync. This also means that stringent positive enforcement is not possible. An automated learning system is needed to build a new baseline every time a new API specification is discovered or updated. The new baseline helps to identify anomalies accurately and drive security policy actions without manual intervention.
This feedback loop gives the SecOps team the visibility they need into potential threats without slowing down the development process. It’s analogous to adding a security camera to monitor the production floor of a warehouse. The SecOps team gets visibility around the clock, monitors for suspicious activity and can react as soon as something nefarious happens. In a software production environment, AI and machine learning are essential for helping automate this activity and to reduce the time it takes to respond.
What’s needed longer term
The idea behind a development security operations (DevSecOps) process is sound, but the approach is often flawed because of the problematic relationship between DevOps and SecOps that we discussed earlier.
In the end, DevOps and SecOps benefit from a frictionless relationship where developers have the freedom to innovate quickly, without sacrificing security. An API discovery and risk assessment feedback loop enables organizations to overcome the lack of tools needed to monitor development and production and to streamline the resources needed to manually fill the gap while mitigating security risks.
Imperva solutions for API Security
Imperva has helped more than 6,500 enterprises overcome application and data security challenges. To meet emerging challenges created by the proliferation of APIs being used to connect cloud-native applications, Imperva delivers an automated positive security model that detects vulnerabilities in your applications, and shields them from exploitation. As APIs are being churned out faster than SecOps teams can review, influence, and sign off on before they’re pushed into production, Imperva’s automated positive security model allows only the traffic you want to access your API, and ensures all of your API endpoints are protected as soon as they’re published. Imperva’s API Security enables SecOps to stay ahead of DevOps without interfering in the innovation process. Try it for free today.
Try Imperva for Free
Protect your business for 30 days on Imperva.