This website is currently dormant!

Helping You Address The Security Gap In Your API Infrastructure With Sapience

31 Jul 2016

Welcome to our latest APIWare project--Sapience! Our team's response to a need for a more API focused security scanning solution. At the end of 2015, the team was looking for our next project, and they asked me for my thoughts on what the biggest need was in the API sector, based upon my monitoring as the API Evangelist -- I quickly responded with security. 

Sapience is currently in beta, but I wanted to take a moment to share some of the thinking that has gone into Sapience, and the current state of security when it comes to APIs. We feel pretty strongly that like security, API security is a very large and daunting challenge, and we need to work hard to peel back the layers a bit, and get to work on better securing digital infrastructure that is increasingly being made available via web APIs.

Being API-First Helps With Security
The first stop when it comes to API security is just doing them, and making it a priority across all websites, mobile, and device-based developed, as well as system to system integration. Using a consist interface to access all of your digital assets help ensure consistency, allowing for potentially more accountability as part of overall security efforts. API-first is the first step of any successful API security strategy. 

SSL All The APIs By Default 
Encryption is one of the most important tools in our security toolboxes, but unfortunately is also something that still is not the default mode for API providers. Whether its costs associated with certificates and implementation or legacy beliefs around the performance tax encryption can bring, APIs are not always SSL by default. SSL by default is the second step of any successful API security strategy.

API Management Provides Authentication
As I studied the API security landscape the leading API management providers often dominate the conversation, with their ability to secure APIs using keys, OAuth, and other increasingly common solutions. API management is definitely a significant portion of the frontline when it comes to API security, the problem is when the conversation stops here, and API providers are not actively testing and pushing on their infrastructure at this front line. 

Securing The Known Universe With API Definitions And Discovery
Another layer of API security discussions that emerged as I studied the landscape was the important role API definitions are playing when it comes to securing API infrastructure. In short, you can't secure wheat you don't know about, and having your API-first infrastructure well defined using common API definition formats, is significantly helping API providers get their security house in order. 

Automated Scanning For Most Common API Vulnerabilities
After API-first practices, SSL by default, modern API management solutions, and robust API definition and discovery work, we get to where Sapience excels--scanning this API infrastructure for common vulnerabilities. I know, many of you will want a magic pill that will address all of our security needs, but in our rush to deploy APIs for the rapidly expanding mobile landscape, many companies are not actively securing existing infrastructure for the most common threats.

In my monitoring of the space I regularly come across technology solutions that will provide comprehensive online security solutions, and even more agencies who will help you secure your company's online presence, but as of January 2016 there were no API-specific, SaaS solutions that help address even the most simple vulnerabilities when it came to security. This is why I identified security as the number one problem out there, and why the APIWare jumped at the opportunity to develop an API specific solution.

APIs have provided a much healthier approach to defining the digital infrastructure of companies, organizations, institutions, and government agencies for the last 10 years. The next stage of this evolution is continuing to bring security out of the IT shadows, and acknowledge that much of this infrastructure is running on the open Internet, even if it is hidden behind the web, mobile, or Internet of things applications. At APIWare, we want to help lead this conversation, and this is why we started Sapience.

Contact us today, to get started scanning your critical API infrastructure today.