Queue the creepy music and remember one of your favorite horror movies. Your software application in production, in your incredibly expensive cloud partner, for the entire world to see, is playing your nightmare from that movie. You wake up and realize that it is not a dream. Someone or more likely, autonomous software trying to get more “likes” and more “subscribes” has leveraged an API that you thought was secure. You thought it was secure because you leveraged it from one of the best branded companies in the world. The software, trying to do its job to promote content that nobody should see in the first place, in pursuit of the next dollar, took over your application and is proudly displaying content that you are now paying for through variable compute cost models. Your nightmare is alive and indicating to the world that you need a new and vastly different career from the one you had when you went to sleep. In desperation, you suspend down your cloud instance and update your social media status to “Open to Work” while heading to the freezer for sweet, frozen, emotional support.
Feel free to dismiss the previous story and start your day by focusing on API security to integrate with the application security that I know you used when you followed your DevSecOps best practice guide like a responsible professional.
Much of our technological security comes from correlation with physical security such as in times of WAR. For instance, the castle and moat analogy originated from the concept of building a castle, then a wall for protection, and then a moat for protection. Today’s idea of “Defense in Depth” originates from castle and moat security. Unfortunately, the issue with these ideas of security is that they only last until we see a dragon fly over the wall. Companies with unlimited security budgets have not been effective at blocking security threats through spending. The first step is understanding that a two-dimensional approach does not solve a 3 or more-dimensional problem.
The other unfortunate truth is that the 80/20 rule applies to security where close to 80% of security issues are caused by internal resources whereas approximately 20% are external causes. One cause of internal breach is due to poor discipline in execution of DevSecOps.
Effective security can be a nightmare to comprehend, learn, implement, and maintain but serves as its own reward. There are no “participation trophies” for preventing security incidents but there are severe consequences for not implementing effective security measures.
One category of application security, often overlooked on a massive scale, is security the API integration of your application. In the industry, we commonly integrate solutions for cross functionality as we know that integration of effective solutions is faster than re-inventing the wheel or re-inventing boring code that already works.
Major firewall manufacturers have introduced API security-based solutions that will not save you if not fully deployed. API security is initially three dimensional and then takes a multi-verse approach. One of the benefits of most API security products is the discovery tool which serves as a check list to inventory and evaluate all instances in use. Assuming all instances are found and secured, it is important to understand what is flowing through the API and ensure that it does not provide a fully encrypted conduit for malicious activities. The next step is to validate that no function through an API may conduct an action without identification and authentication in very much the same way we would verify an end user. Beyond these functions security must still be developed in each component of the application. At this point, this may feel overwhelming and hard to quantify but effective security is its own reward.
Take time to study zero trust and no, it is not a branded product you can buy. Zero Trust is an approach by which nothing we build is inherently accessible by any human, system, or process until it has unlocked however many security mechanisms as necessary to ensure we know who, what, where, why, and how much is accessing or being accessed. Initially this model is a heavy lift and a major departure from our professional understanding of how to get the job done. Through education, zero trust ideas allow us to develop solutions faster with less consternation.
In addition to being a disciplined professional of the DevSecOps persuasion, you must read the story of a great Basketball Coach that will drive home the value of “The Fundamentals” in any endeavor. Do not make the common mistake that great, current, well branded, expensive technology reduces the value of going back to the basics in life. Take the easy approach that your peers recommend, and we will read about your nightmares in the news. Sleep Well!