Cloud security is a complex issue, particularly when considering APIs that are now the glue connecting mobile and web applications. APIs are highly visible and well-defined doorways into the data and business processes of organisations and are the top attack surface exploited by cyber criminals. Even the most compliant and secure APIs can be exploited by attackers in the form of business logic abuse and automated threats resulting in data loss, fraud, and business disruption.
CNAPP (Cloud-native Application Protection Platform), a new category of cloud security by Gartner, will provide some coverage for application security such as scanning application code for OWASP vulnerabilities and enabling DevOps teams to remediate security issues. However, API security can deliver a different set of capabilities, providing a complementary approach.
Blindspots
When looking at cloud application security, it’s important to consider that an application will require different components such as virtual workload, data-store, network, and identity services to support it. These components and the effort to secure applications deployed in the cloud have created a patchwork of security solutions resulting in a disjointed and complex deployment that lacks a centralised view. Consequently, customers are presented with isolated silos of information leading to blind spots between different security products that could potentially enable attackers to exploit applications or infrastructure.
The goal of CNAPP is to combine the functionality of existing products such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and Cloud Service Network Security (CSNS) into one solution. CNAPP not only simplifies the management of disparate security products and minimises security blind spots for security and DevOps teams but it also helps with cloud misconfiguration. Constant changes often lead to human error that can result in misconfigurations of security groups, ACLs, network and security policies, and these mistakes that can lead to exploitation. As CNAP identifies deviations from the desired security posture and vulnerable components, unused workloads, and areas of application misuse and attack, it can help prevent misconfig and can increase developer and DevOps team productivity. Potential threats in the CI/CD pipeline phases can also be detected, reducing the number of bug fixes and merge/pull requests. Plus it can be used to conduct vulnerability testing, performing periodic security scans across cloud components such as containers, serverless environments, and VMs to pre-empt any security issues.
Yet, while CNAPP can provide a unified view between different security products that could potentially prevent attackers from exploiting applications or infrastructure, protecting APIs requires a different approach. APIs can be exploited in numerous ways, making attacks difficult prevent or detect, so applying API protection that complements CNAPP can help to better secure API-based and cloud-native applications.
CNAPP shortcomings
A common problem is that business critical applications can become blocked due to inaccurate threat detection, for example. Using real-time threat detection and mitigation can prevent this and ensure those applications that might be accessible to malicious entities are protected. API-dedicated security can also be used to discover those that have been deployed by internal groups without notifying the security team of their existence. These ‘Shadow APIs’ may have vulnerabilities that have not been corrected and can become an easy target for cybercriminals. This discovery capability complements CNAPP, helping protect unknown APIs and cloud components while CNAPP focuses on known applications and cloud infrastructure.
API applications deployed in the cloud often adhere to agile development methodologies and these see changes constantly introduced to API specifications that if not monitored can lead to compliance or data exposure issues. This requires constant inventory and compliance checks to identify and mitigate vulnerabilities, such as those covered in the OWASP API Security Top 10, before they can lead to exploitation. However, CNAPP solutions are not designed to capture deviations from the API specification.
Finally, API endpoints tend to have direct access to sensitive data stored in the backend of applications. Detecting any data leakage can be difficult, particularly if the request is made legitimately, but API security can surface sensitive data access, helping to prevent data loss.
Complementary technologies
CNAPP solutions serve a critical purpose in simplifying and managing critical cloud native security and cloud security posture issues. They help security and DevOps teams continuously monitor their cloud infrastructure ensuring that critical security issues are remedied before attackers exploit them. But cloud native API security solutions can provide a valuable contribution that should not be overlooked as CNAPPs do not fully extend up the stack to securing mission-critical API applications.
For API application protection, organisations need to focus on implementing security solutions that understand how APIs are built, deployed, and exploited and how this can unnecessarily expose applications. This often requires a focused approach that understands the end-to-end API lifecycle and how to properly secure each stage, from discovery to detection and defence, helping to ensure continuous API protection for the organisation’s mission-critical applications.
Andy Mills is VP of EMEA for Cequence Security and assists organisations with their API protection strategies, from discovery to detection and mitigation. He’s a passionate advocate of the need to secure the entire API lifecycle using a unified approach. Prior to joining Cequence, he held roles as CRO for a major tax technology provider and was part of the original worldwide team of pioneers that brought Palo Alto Networks, the industry’s leading Next-Generation Firewall, to market. Andy holds a Bachelor of Science Degree in Electrical and Electronic Engineering from Leeds Beckett University.