BLOG

15 Questions to Ask About Your API Posture

Chuck Herrin Miniatura
Chuck Herrin
Published November 01, 2024

I have a secret I’m going to share with you today. In the half dozen chief information security officer (CISO) roles I’ve held over the last 20 years, only one recruited me due to a breach. One. 

The other five were either due to attrition, or the incumbent was replaced due to a loss of confidence by key stakeholders. Fully half were replaced due to a loss of confidence, not a breach.

Why CISOs need to understand their API environment

In the realm of API security, we can boil down the need for CISOs to understand their API exposures in a few declarative statements. 

First, you need to know four things to create a threat model for a given environment: your assets, actors, interfaces, and actions. In other words, “Who’s doing what, to what, via what?”

Second, the “I” in API is “interface.” Application programming interfaces are widely used across multiple platforms, languages, and frameworks, and nearly all modern software development is API-first. You have APIs in your environment, guaranteed. 

Third, if you as a CISO do not have an inventory of the interfaces that expose and serve your sensitive data, whether internally or to your web and mobile apps, you have an incomplete threat model and corresponding blind spots where services and data are exposed. 

Finally, incomplete threat models lack comprehensive security oversight and demonstration of due care, two critical areas that auditors and regulators are responsible for ensuring take place. It is their responsibility to make sure assets, actors, interfaces, and actions in a given environment are understood and managed. 

Evaluating your API security exposure

Here at F5, we always want our customers to be the smartest people in the room, so we’ve created a quick list of questions you can use to assess the current state of your API ecosystem. By answering these questions now, you’ll be prepared should you be asked later down the line during a field exam or external audit. 

I have personally shared these questions with regulators and examiners from multiple agencies. Now that the U.S. Federal Communications Commission has started issuing fines and consent decrees specifically for API issues and the current version of the Payment Card Industry Data Security Standard (PCI DSS) 4.0+ requires API compliance specifically in development, the time has never been better for defenders to have these answers ready at hand. 

Even if you can’t answer them all, knowing where you stand and demonstrating a proactive posture is critically important for CISOs. By demonstrating that you’re on top of understanding and evolving your API security posture, you’ll retain the confidence you’ve worked so hard to earn. 

Here is the list, from easiest to hardest. If you have a hard time getting as far down the list as you would like, give your F5 account team a call. We’re here to help.

  1. Who owns API security for our company?
  2. Do our APIs have owners assigned?
  3. How much of our revenue comes through APIs?
  4. How many APIs do we have?
  5. How many of these are actively used, and how many are dormant?
  6. How many are vulnerable to the Top 10 most common API issues?
  7. Do our penetration tests adequately cover API vulnerabilities and attacks on business logic in production?
  8. Which of our APIs transmit or receive data subject to legal or regulatory compliance?
  9. Are we seeing malicious traffic? On which API endpoints?
  10. What is our overall API security risk? Has it improved or worsened from this time last year?
  11. Are there some development teams that produce more API issues than others? How are they trained and given feedback on API security issues?
  12. Is there a vetting process for code and API changes before they go into production?
  13. Who gets alerts on security events detected against our APIs?
  14. What is the average response time in minutes when a broken object level authorization (BOLA) attack is detected against one of our production APIs?
  15. And finally, back to the basics at the top of the list—do the people whom we think own API security know and agree that they own it?

Tightening your security posture

Assessing your API environment and the potential threat APIs pose is the first step toward exposing blind spots and tightening your security posture.   

Please join F5 this week at API World in Santa Clara, Calif. to learn everything about APIs. I’ll be speaking Thursday at 1 pm PST along with two of my colleagues at an open session, “A World of AI is a World of APIs: Securing the Most Modern of Modern Apps,” and this same session will be held virtually on Thursday, Nov. 14 at 1 pm. 

F5 will also be hosting the virtual session, “API CTF: Learn the FUNdamentals of API Security,” on Tuesday, Nov. 12 at 9 am. 

Not going to API World? Check out our API security demo