Advance API Protection with Shift Left Security Strategies

David RemingtonDirector Product Management

Software developers are deploying APIs at soaring volumes in today's cloud-first ecosystem. According to the F5 2024 State of Application Strategy (SOAS) Report, more than a third of organizations now manage as many APIs as they do applications, with some large enterprises overseeing up to 10,000 APIs.¹ As organizations continue to modernize their app portfolios, the number of APIs in use is projected to exceed one billion by 2031.²

Why are APIs proliferating so quickly?

APIs have become indispensable for modern applications because they enhance efficiency and interoperability. APIs also enable different software systems to communicate seamlessly, so they empower teams to integrate diverse services and streamline processes.

The rise of AI amplifies API growth because it relies heavily on them for functionalities such as data processing, machine learning, and automation. As AI adoption continues to climb, so too will the need for APIs.

Yet, with rapid expansion comes significant security obstacles. The F5 SOAS report reveals that 95% of organizations use API gateways¹; however, this practice alone is insufficient. API security today faces two key issues: discovery and shifting left to add security earlier in the development process.

The state of API security and what's missing

API safeguards are currently lagging the burgeoning usage of APIs. While API gateways provide a level of control, they do not address the fundamental need for API discovery and comprehensive security strategies. Gartner predicts that by 2025, half of all APIs will be unmanaged, posing serious risks.³ Such shadow APIs can expose organizations to unauthorized access, data breaches, and other threats because they operate outside the visibility and control of security teams. They harbor vulnerabilities that attackers exploit to gain unauthorized access to sensitive data. The first step in addressing this threat is discovering shadow APIs within an organization's environment.

To discover shadow APIs and manage related multicloud complexities, teams can begin by examining their exposed domain space using tools designed for API discovery. Identifying all endpoints within a company's domain helps map the API landscape. However, the challenge intensifies in multicloud environments, where APIs span various platforms with different security protocols and governance requirements. This complexity necessitates a strategic approach to API management and security.

With developers adding new APIs routinely, they can implement solutions such as Apigee API management from Google Cloud and F5 Distributed Cloud API Security, which offer ongoing discovery and monitoring—equipping them to incorporate security measures early in the development cycle and enhancing API governance.

Shifting left on API security

According to Gartner, by 2026, 40% of organizations will select a WAAP provider based on its advanced API protection and web application security features. That's up from less than 15% in 2022.⁴

While this is welcome news, more organizations can integrate security practices into their CI/CD pipelines by shifting left, ensuring that APIs are secure from the outset. This involves comprehensive API documentation, automated security checks, and ongoing education for developers and security teams.

Easing stress between developers and security teams

Historically, tension has existed between developers focused on rapid deployment and security teams prioritizing safety. To ease this strain, fostering a culture of shared responsibility for security is essential. Encouraging collaboration and mutual understanding can help align goals and streamline processes.

Securing the entire API lifecycle

A comprehensive approach involves continuous monitoring, regular updates, proactive threat detection, implementing strong authentication and authorization mechanisms, and adopting advanced security tools that leverage AI to detect and mitigate threats.

F5 and Google Cloud help you shift left

The first step to improving API security is conducting a thorough inventory of all APIs, identifying unmanaged or outdated endpoints, and documenting their functionalities and security measures. Organizations should prioritize securing APIs based on their risk levels and potential impact. Complementary solutions such as F5 Distributed Cloud API Security and Apigee help create a comprehensive security framework to safeguard APIs across all environments, providing developers peace of mind in an increasingly interconnected world.

So, while API growth presents opportunities for organizations, teams must be aware of the security pitfalls. Organizations can manage their APIs more effectively by shifting left, embracing continuous discovery, and fostering collaboration between development and security teams.

To hear more about what our F5 and Google Cloud specialists are saying about API security, watch the Shift Left: Transform Your API Security with F5 and Google Cloud webinar on demand. You can also visit Google Cloud Platform (GCP) to explore our partnership in depth.

Sources

_{1. F5, 2024 State of Application Strategy Report, 2024}

_{2. F5, Continuous API Sprawl, Nov. 2021}

_{3. Gartner, Predicts 2022: APIs Demand Improved Security and Management, Dec. 2021}

_{4. Gartner, Market Guide for Cloud Web Application and API Protection, Nov. 2023}

About the Author

David RemingtonDirector Product Management

More blogs by David Remington