By Mo Amao
Application Programming Interfaces (API) have become the foundation for transmitting data, logs, traces, and metrics within and around an organization. Prioritizing API security from development to production should be paramount for organizations, not an afterthought.
Reports have shown an increase in API security incidents in the last 12 months, with around 95% of organizations experiencing API attacks. Additionally, in recent months, personally identifiable information (PII) of organizations and clients has been exposed through malicious API calls. While some of these attacks can be prevented by effective API inventory management through a collaboration with an organization’s DevOps team to regularly conduct perimeter scans and detect available APIs, the ownership of APIs spans various roles in an organization.
Choosing which APIs to deploy, how they operate, and implementing access control is a necessary part of API ownership. Therefore, API ownership begins from the design to APIs’ deployment and accessibility stages.
What Is API Ownership?
APIs are rapidly becoming more than just a technological infrastructure, evolving into the “new application layer.” On the face of it, an organization owns the API; however, the team developing APIs plays different roles and is responsible for various aspects of an API.
From ideation to coding and maintenance, API ownership refers to the people and activities involved in ensuring APIs’ safe and effective operation in an organization. API ownership is one of the best approaches to a secure and structured API strategy. Organizational API ownership models can be developed by understanding the application of an API in the business context.
API Ownership Models
Organizations can adopt either an IT-owned API model or a business-owned API model or assume shared ownership with the IT team resulting in the Shared Ownership model. Here’s how it works:
IT API Owner: A technical or IT API owner develops the API and ensures the API meets set objectives in line with the Operational Level Agreements (OLA). The OLA is well-defined in terms of availability, security, performance, and more. The IT API owner also defines and monitors the APIs to ensure they meet the organization’s Key Performance Indexes (KPI). This ownership model also enhances API requests and integrates technical issues with the API strategy.
Business API Owner: This ownership model seeks to understand the needs of potential API consumers. Its responsibility is to justify APIs’ continuous operation and existence, implementation, and evolution. The business API owner communicates business-related issues and enhancement requests to the IT API owner to ensure compliance with the API-consumer-facing standards.
Shared Ownership: In actuality, API ownership is shared between the Technical and Business owner. They both ensure systems integration and maintenance of business infrastructure in the management of APIs. Business owners and IT leaders often partner up as regards API ownership. The Business owner drives the API strategy from a consumer and business point of view, while the IT leaders concern themselves with the technical aspects of deploying and maintaining APIs.
API Ownership Best Practices
While API ownership can be shared, certain best practices should be followed to maintain a reliable API strategy that prevents the exploration of API vulnerabilities and promotes API security. The following best practices can guide an organization in creating teams to ensure safe API usage:
- Follow an API Security Checklist: An API Security Checklist helps close the gaps in an organization’s API strategy. It is an excellent place to start with navigating through top items in the area of best practices. The checklist covers everything from API design to development and integration and follows the Open Web Application Security Project (OWASP) Verification Standard. The standard provides a list of requirements for secure development to be followed by developers of API.
- Assign Ownership Based On Purpose: API ownership roles should be assigned based on the function of each API. This is to ensure the owner assumes the responsibility for an API if an incident occurs and the reaction time to such an incident is quick.
- Prioritize Security: API security should be considered from developing an API in the API lifecycle. A security-first approach should be encouraged from the development of APIs to the ownership and deployment stage. Outline security requirements when building and integrating APIs by following a purpose-built API security tool to enhance API security.
- Use External API Visibility Tools: In-house security monitoring tools may easily overlook vulnerabilities an organization’s team misses within an API system. Therefore, external API visibility tools should be employed to be aware of changes and risks within an API system. A dynamic runtime protection tool is helpful to track changes that are difficult to detect by standard build and abuse testing tools, and they can be enhanced by enabling threat protection features in an organization’s gateway.
- Implement Layered Security Approach: A layered API security approach is required for optimum security at minimum cost. This approach covers critical vulnerabilities highlighted in the OWASP Top 10 for 2021. Covering the ground on these vulnerabilities gives API owners peace of mind and attackers a hard time.
Granted that the above best practices focus on the security of APIs and API teams, owners must be careful and take a security-based approach in the development and integration of APIs within an organization to ensure security threats against APIs are adequately mitigated.
Conclusion
Ownership of an API is dynamic and is bound to change over time based on the changing needs of an Organization, API consumer, career growth, and changes of the assigned owner. However, both the Business and IT API owners are responsible for keeping the API flexible, operable, and secure.
About the Author:
Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.