The base of enterprise computing is shifting dramatically, driven by soaring cloud adoption and demand for distributed systems. In addition, the developers and application programming interface economy now dictate the pace of digital transformation.
As security teams feel the added pressure to deliver in obscure cloud-native environments, capabilities around security need to conform accordingly, according to Karl Mattson (pictured), chief information security officer at Noname Security.
“The story of developers and API is one of becoming the hero — the hero of digital transformation and public cloud adoption,” he said. “And so this is becoming much more of a developer-centric discussion about where we’re moving our applications, where they’re hosted, and how they’re designed. And so there’s a lot of energy around that right now.”
Mattson spoke with theCUBE industry analyst John Furrier at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how companies are grappling with the new swathe of cybersecurity challenges being posed by today’s cloud-native and open-source demands. (* Disclosure below.)
Securing APIs across their entire life cycle
While APIs have been around for the better part of a decade, there’s been a seismic shift in how they’re deployed, according to Mattson. Today, enterprises write atop public-facing interfaces when, initially, there used to be a more behind-the-scenes approach to deployment.
Noname focuses on API security and, in doing so, sees them basically as software endpoints that must be secured across their entire life cycle, just like any other.
“It needs to be designed well, with secure coding standards for APIs, and tested well,” Mattson explained. “It also has to be deployed into production, configured well and operated well. And when there’s a misuse or an attack in progress, we have to be able to protect and identify the risks to that API in production. So when you add that up, we’re looking at a full life cycle view of it.”
APIs are a major underpinning of the modern cloud in itself, and a growth driver for cloud benefits like performance and scalability. Thus, it’s imperative to employ best practices and innovate on better securing them, Mattson added.
In evolving the contemporary approaches to executing API security, one of the things teams need to do is look beyond just the source code, according to Mattson.
“Certainly, the quality of the source code of API is step one. But what we see in practice is most of the publicly known API compromises weren’t because of bad source code, but because of network misconfiguration or the misapplication of policy during runtime,” he stated.
Noname’s primary focus is dealing with the discrepancies of this kind that crop up, starting from the design stage itself.
“What we add to the conversation on API security is helping fill all those little gaps, from design and testing through production, so we can see all of the moving parts in the context of the API to see how it can be exploited,” Mattson said.
Applying machine learning to API security
Noname’s API security platform can be broadly broken down into three functional areas: API code testing, posture management and threat defense.
“[Threat defense] is identifying the inherent risk exposure of an API,” Mattson said. “A great example of that would be an API that is addressable by internal systems and external systems at the same time.”
Rather than completely supplant them, API management gateways essentially augment defense systems, like web application firewalls, or WAFs, for when they’re on downtime or incapable of handling certain risk types.
“There are attack types within business logic, in particular, of things like authentication policy that a WAF is not going to be able to see. So the WAF and the API management plan are the key control points, and we can help make those better,” Mattson explained.
No two APIs are exactly the same, and so technologies like machine learning are crucial to understanding how individual APIs behave independently of each other, especially from a request and response standpoint, Mattson pointed out.
“We apply a machine learning model to each and every API independently for itself, because we want to learn how that API is supposed to behave,” he said. “Where is it supposed to be talking? What kind of data is it supposed to be trafficking in all its facets? That way, we can model that activity and then identify the anomaly where there’s a misuse.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:
(* Disclosure: Noname Security sponsored this segment of theCUBE. Neither Noname nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.