How to Build an Applications Security Program

In the past two years, 60% of enterprises have experienced a data breach caused by weak API Security. Gartner survey data shows that 41% of organizations deprioritize security tasks for delivery speed, which is not uncommon when trying to satisfy only business requirements without considering security¹. One recent survey found that 61% of respondents anticipate threats related to APIs will increase in the next two years with over 50% agreeing that APIs substantially expand their attack surface.

The fact is most organizations do not know the extent of the risk they face when it comes to their APIs. And as organizations today rely heavily on third-party APIs to enhance their software applications and services, that risk multiplies exponentially. APIs today provide essential functionality and access to services with businesses integrating with payment gateways, customer relationship management tools, business intelligence, data enrichment, analytics, and more. On average, organizations have 127 third-party API connections.

API Security Challenges

The widespread adoption of APIs introduces significant challenges related to security, efficacy, and risk management. These challenges may include:

API Sprawl and Inventory Management

Organizations often find themselves grappling with “API sprawl”, where the number of APIs grows rapidly to meet business requirements and often forego security. This proliferation can lead to a lack of visibility and control over these integrations leading to increased exposure to potential threats.

Inventory Management

Unfortunately, nearly 40% of organizations struggle with maintaining an accurate inventory of their APIs. Application security begins with ensuring that enterprises understand the extent of their application environment. This involves cataloging the application assets and initially focusing on a select few applications. These assets may encompass web and application servers, containers, legacy software, and APIs providing underlying services, among others. The inventory comprises all data stored and transmitted by the application, alongside metadata. By conducting this inventory, an enterprise can develop a risk profile for each application.

Legacy or Traditional Security Solutions

It’s no secret that APIs substantially expand the attack surface with cybercriminals increasingly targeting APIs, exploiting vulnerabilities to gain unauthorized access or manipulate data. Traditional application security solutions, such as web application firewalls (WAFs), are often inadequate for protecting APIs and can’t effectively distinguish genuine from fraudulent API activity.

Urgency and Prioritization

Despite the rising number of API-related breaches, organizations don’t always take the threat seriously enough with a majority failing the urgency to understand the most vulnerable APIs based on security risk profiles. This is why application inventory is so important to application security to prioritize those at the highest risk and identify sensitive data within API endpoints.

Automated Continuous Testing

Continual testing for API vulnerabilities is essential. However, on average, only 40% of APIs undergo regular vulnerability assessments. As a result, organizations are not confident that they can prevent attacks, nor do they have the tools to effectively identify and contain an attack. The most common attack vector involves distributed denial of service (DDoS) attacks, which can disrupt services and overload APIs.

Emergence of API Security as a Separate Discipline

APIs are increasingly being developed by dedicated teams of developers, separate from the application development team. This division has prompted the acknowledgment of API security as a unique discipline. Organizations require tools capable of detecting rogue and unauthorized APIs, and recognizing unusual behavior and activity, to deter cybercriminals from extracting data through manipulated business logic.

Driving Support for Application Security Programs

To help SRM and security leaders drive support for an application security program, analysts like Gartner recommend providing stakeholders with the key data and examples of API-related breaches coupled with internal risk assessments such as²:

• Data and applications classification based on criticality
• Results from application security testing (AST) which include SAST and DAST and software composition analysis (SCA) scans
• Data intelligence and output from threat models
• Application complexity based on code and test coverage which are fundamentally unpredictable and can lead to vulnerabilities.

Currently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights the need to take a “secure by design” approach as the most effective way to secure applications and the number of vulnerabilities that find their way into production. This holistic methodology involves integrating pervasive applications security measures throughout the SDLC.

Most enterprises have incorporated software development life cycle (SDLC) processes, but most lack automation and standardization. This can often be the result of a mix of challenges such as a complex supply chain, a recent merger and acquisition, or increased compliance and regulation scrutiny. Organizations will often ask how much of their application security testing should be automated. That response will differ and is dependent upon multiple factors, including security and business requirements, SLAs, the applications, APIs, and the security stack itself. Are the technology mostly legacy systems or is it mixed with a more modern software development environment?

According to Gartner, application security testing is the most commonly automated security activity.
Forty-five percent of organizations report having automation fully or mostly in place for application security¹.

At BreachLock, we find automated security solutions not only establish a baseline, but our built-in standardization offers consistent metrics that can be analyzed and used to foster stakeholder understanding of how application security can impact business outcomes and overall cyber resiliency.

Recommendations

The widespread use of application delivery platforms (cloud, mobile and IoT devices, and APIs) and the fast pace of development are exacerbating the many security issues that organizations and their DevSecOps teams face daily. However, web applications, mobile apps, and APIs are all critical components of the digital enterprise. Here are some recommendations for DevSecOps teams that focus on application security:

Comprehensive Application Security Practices
Develop a robust application security program that spans the entire software development lifecycle, from design to deployment. Engage stakeholders in governance to ensure alignment with security goals.

Automate Security Testing & Validation
Implement automated application security testing and validation practices. Using tools like automated penetration testing can help to assess the overall API program effectiveness by identifying not only vulnerabilities but also application security requirements and controls that are needed to safeguard your attack surface and meet compliance regulations.

API Security Principles
Apply security principles to API development to support secure deployment. Consider posture management and workload protection solutions for these deployments. Gartner’s Application Security Program Guidance Framework breaks down four areas of practice outlining the major components of an application security program2. The four areas of practice are:

• Governance: The oversight to ensure the API security program is delivering the right controls at an acceptable level.
• Architecture and Design: The discipline of identifying security requirements and applying a secure-by-design approach to achieve and maintain a state of managed security-related risk.
• Implementation and Verification: The process of focusing security efforts on the building, testing, and deploying of applications.
• Operations: The control necessary for security of the runtime environment.

Security Initiatives and Culture
Create security initiatives that reinforce best practices. These efforts not only enhance security but also contribute to a stronger security culture, mitigating risks associated with the shortage of security professionals.

In Conclusion

In the end, application security and API-related security automation must start with an inventory of assets and the prioritization of all critical and high vulnerabilities, along with evidence of vulnerability remediations integrated into a security dashboard. The BreachLock AI-driven platform provides user-friendly dashboards with evidence via Proof of Concepts (POCs) available directly within the platform. These POCs accompany every vulnerability to better understand the context around the potential threat such as the depth of criticality and exposure to the associated asset and other assets, ease of exploitation of that application or API, and potential attractiveness by an attacker.

Following the highly effective secure-by-design approach to application security is a process that should be maintained long-term across the SDLC starting with ideation and design, through development, deployment, and maintenance. This type of upfront investment not only provides cost savings and efficiencies to fix vulnerabilities early in the development lifecycle but can put enterprises on the road to inherently long-term resilience against emerging threats.

References:

¹2023 Gartner Security in Software Engineering Survey conducted online from 7 June through 14 July 2023.

²William Dupre (2024). A Guidance Framework for Building an Application Security Program, Page 3, Figure 1.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.
Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Download BreachLock’s API Security Guide to learn more.