Top 5 tips to improve API security
First, collaborate during the ideation and design stage
“Often, software is difficult to secure because it wasn’t originally designed with security or “defensive thinking” in mind. It’s almost impossible to secure a system properly after the design as you are, at best, limited to a moat-and-castle type of model – which is extremely limited and barely adaptable. During the ideation and design stage of development, inject your design team with a few security experts and you will see a huge difference,” said Sam Rehman, SVP, Chief Information Security Officer, EPAM Systems, Inc..
Second, focus on identity
“Having a clean identity model with consumers, employees, services and partners will allow you to simplify and strengthen your controls and be more adaptive. Once you have a clean model, adding behavior and advanced techniques will be more pervasive and transparent,” said Rehman. “This will in turn be less disruptive to the user experience.”
Third, be transparent with your users and align your claims with your actions
Rehman advises, “Building trust with you customers is key. In my opinion, the only way to do that is to “do what you say and say what you do.” Then, empower your users once they are on your side. Weeding out malicious acts will be far more effective.”
Fourth, layer and segment
“There is no “one-size fits all” in security. In fact, that’s a good thing – having all your controls in one aspect only makes it easier for attackers to circumvent and make it harder for users,” said Rehman. “I recommend layering your controls and segmenting the workload, data or network to reduce the yield for the attackers. This allows you to reduce the blast radius when, not if, something bad happens. It will reduce the effort needed to contain and recover. Zero-trust architecture will help you access and apply this in a systemic way.”
Fifth, monitor and watch your data motion
“Monitoring and tracking your data motion will tell you a lot without adding burden to the users. You must think like the attacker and watch your data as they would. This will help you understand your attack surfaces and risks with more agility and productivity,” said Rehman.