ASPM and API Security: Complementarity at its Finest
In this blog
Complementarity is a word not often heard outside quantum physics circles these days, but its more traditional use is more apropos here than the meaning used by Quantum Physics. If you look it up there are a bunch of variations, but the Cambridge Dictionary says it best:
This, I think, is a great definition to use for the relationship between application security posture management (ASPM) and API security. This is especially true between Akamai and Apiiro and the complementarity of their runtime API security offering and ASPM. These two come at API security in different but very complementary ways. Akamai's API security is staunchly on the defense side of security, while Apiiro takes a secure side approach, protecting the software supply chain.
Complete code-to-runtime API discovery
One of the very core tenants of API security is discovery, for you cannot secure that which you don't know about. This has long been an Achilles' heel of API security. There have been multiple differing attempts at discovery, varying from crawlers to forcing traffic to be rerouted through SaaS-only solutions. These work to varying degrees, but all have flaws. Crawlers, to date, miss too much and still have to know where to crawl for your APIs. Forcing traffic through a SaaS solution is a bit better in that all external internet-facing traffic would pass through, which typically makes detection more accurate. But this also has its issues, including high effort and disruption if you aren't using a SaaS CDN. You still will not catch or detect potential B2B APIs that run over private links or APIs placed in the cloud where the SecOps team is unaware of. Adding Apiiro's ASPM solution to the mix closes the loop by connecting to the code repositories themselves.
Using deep code analysis, Apiiro continuously inventories all APIs and data models. It audits all activity in repositories to detect new and significant changes to APIs and identifies vulnerabilities before they are committed or deployed. Apiiro is powered by its Risk Graph, which can also highlight APIs connected to sensitive data (such as PII, PCI, PHI) or other security weaknesses.
This level of visibility into the code allows for the discovery of API components that may be vulnerable to misconfigurations, code logic flaws, design flaws and common coding errors. It is a valuable addition to runtime API security.
Having visibility from code to runtime helps in discovering shadow APIs and enables developers to prevent API weaknesses from being deployed. This saves time that would otherwise be spent on reactive risk mitigation. Apiiro's proactive approach also helps modernize risk assessment processes and triggers security reviews based on risky material API changes in the code.
Prioritization of API risks in code with runtime context from Akamai
The level of risk that weakness in code in an API poses to your organization depends on the likelihood and impact of that risk. For instance, a risk in a publicly exposed API is more likely to become a real risk, and an API that handles sensitive data has a greater potential impact on your business.
By combining Apiiro's deep contextual knowledge of code with Akamai API Security's insight into API behavior and threats at runtime, customers can accurately assess the likelihood and impact of risk and prioritize API risks most critical to the business.
Fusing code and runtime context enables teams to prioritize business-critical API security issues, reduce false positives, and save time triaging backlogs and addressing real business risks, not just vulnerabilities.
Visibility into API security coverage and gaps
It can often be a daunting task for application security (AppSec) teams, particularly those operating within large organizations, to have complete visibility into the extent and effectiveness of security testing efforts. This lack of clarity can hinder their ability to assess the overall security posture of their applications. Apiiro's ASPM solution includes comprehensive deep code analysis and integrates with many of the application security tools on the market today. Making it a compelling solution that helps build relationships between developers, security and risk teams across the organization. ASPM empowers AppSec teams to holistically view security testing coverage, including from external sources such as Akamai API Security and not just from within their code repositories. By consolidating and analyzing security testing data from various sources, ASPM empowers organizations to make informed decisions and effectively address any potential vulnerabilities or weaknesses in their applications.
That coverage mapping, tied to Apiiro's code-based insights (i.e., handling of sensitive data, amount of risky changes), can help dictate where security testing should be done and where gaps exist. For example, you may want to ensure that all high business impact (HBI) applications or repositories containing APIs and sensitive data — which you can surface using Apiiro's Risk Graph Explorer, as seen below — are covered by Akamai.
Ultimately, this insight can minimize API security testing gaps and ensure more complete coverage.
Unifying API risk management from code to runtime
The integration between Akamai API Security and Apiiro ASPM enables teams to finally have comprehensive API discovery, testing, prioritization and remediation with continuous and complete visibility of APIs and API risks from code to runtime. This integration is the first step in providing an integrated view of API risks that unifies code and runtime insights, thus allowing SecOps to proactively secure their APIs and efficiently prioritize and remediate API risks.
In the end, this is exciting news for DevSecOps all around and closes some major loopholes in API Security. Tying ASPM to the Defend side and providing security visibility, from code to runtime.