How to Build a Feedback Loop That Narrows the Gap Between Development and Security
September 23, 2021

Lebin Cheng
Imperva

There's a tug-of-war happening between the development operations team (DevOps) that's responsible for building the company's innovations and the security operations team (SecOps) that's tasked with keeping everything protected.

The growing proliferation of application programming interfaces (APIs) is further exacerbating the tension between these functions. On one side, you have SecOps teams, who have a difficult time gaining visibility into API transactions as API schemas are often lightly documented and subject to frequent changes. While on the other side, there are DevOps teams, who need the freedom to rapidly adjust APIs to meet changing business needs without the burden of manually updating API specifications for security testing and policy definitions.

Although the SecOps team wants to keep a watchful eye on the behaviors of the dozens or hundreds of APIs operating within their network, today's conventional API security methods slow DevOps and make the organization less efficient.

As the connective tissue that binds modern, cloud-native applications together, APIs are essential; but, they're also introducing more cybersecurity risk to the organization. By 2022, it's predicted that APIs will become the most frequently attacked enterprise web application vector.

To fully realize a successful approach to development security operations (DevSecOps) for API security, creating an effective feedback loop between DevOps and SecOps teams is critical to getting a grasp on API security risks.

Establishing a Feedback Loop that Discovers, Monitors and Secures APIs

Historically, applications were deployed under the assumption they would be protected by the network perimeter. As modern software development moves into cloud-native environments, this traditional concept is less effective and leaves the process exposed to additional security vulnerabilities.

By establishing and implementing a feedback loop between DevOps and SecOps, organizations can streamline application release workflows and enable developers to focus on delivering an optimal digital experience while providing the SecOps team with visibility and control over the application runtime.

The ideal feedback loop should encompass three critical domains: discovery, monitoring and security.

Discovery: Maintain an always up-to-date API inventory with contextual data labels. Ideally, this should be done autonomously with an unobtrusive solution that continuously keeps the API inventory up-to-date with data security classifications. For some, discovery simply entails mapping API service endpoints, but that's not enough. Instead, you need to know what data each API is accessing — and shift to a data-centric approach to API security.

Monitoring: Generate developer-sourced specifications and check against security best practices. Functional or regression testing is monitored to validate specifications or to generate specifications if they're not available. Enabling automation ensures protection can keep pace with application changes without manual intervention. That way, new APIs discovered during runtime are checked in the next cycle while API calls in testing help prepare the runtime model.

Security: For API-first apps, API specification is always completed and updated before actual implementation. For other applications, API specification can be used as a reference, but dynamic discovery is needed to ensure the actual implementation and API specifications are in sync. This also means that stringent positive enforcement is not possible. An automated learning system is needed to build a new baseline every time a new API specification is discovered or updated. The new baseline helps to identify anomalies accurately and drive security policy actions without manual intervention.

This feedback loop gives the SecOps team the visibility they need into potential threats without slowing down the development process. It's analogous to adding a security camera to monitor the production floor of a warehouse. The SecOps team gets visibility around-the-clock, monitors for suspicious activity and can react as soon as something nefarious happens. In a software production environment, AI and machine learning are essential for helping automate this activity and to reduce the time it takes to respond.

What's Needed Longer Term

The idea behind a development security operations (DevSecOps) process is sound, but the approach is often flawed because these two functional departments cannot simply be locked in the same room and expected to exist symbiotically.

Both DevOps and SecOps want a frictionless relationship where developers are enabled to move fast and innovate the business, without putting it at risk. However, both sides lack the tools needed to monitor what's happening in development and production — particularly the API calls between internal and external applications and services.

Through the implementation of the API discovery and risk assessment feedback loop, organizations can successfully streamline the resources needed to manually fill the gap while mitigating security risks.

Lebin Cheng is Head of API Security, Office of the CTO, at Imperva
Share this

Industry News

October 21, 2021

Splunk announced the latest enhancements to the Splunk observability portfolio including advanced product innovations for Splunk Application Performance Monitoring (APM), Splunk Real User Monitoring (RUM), Splunk Synthetic Monitoring, Splunk Log Observer, Splunk Infrastructure Monitoring and Splunk IT Service Intelligence.

October 21, 2021

Platform9 announced a number of new enterprise features that greatly eliminate operational complexities in managing multi-cluster and multicloud Kubernetes deployments, available in the new release, Platform9 5.4 Release.

October 21, 2021

Graylog is announcing Graylog Security.

Designed to overcome legacy Security Information & Event Management (SIEM) challenges, Graylog’s scalable, flexible cybersecurity platform makes security analysts’ jobs easier and faster. With SIEM, Anomaly Detection, and User Entity Behavior Analytics (UEBA) capabilities, Graylog’s security solution will provide security teams with even greater confidence, productivity, and expertise to mitigate risks caused by Insider Threats, credential-based attacks, and other cyber threats.

October 21, 2021

Prodly announced a Series A investment of $10 million led by Leta Capital.

October 20, 2021

SonarSource added over 5,000 customers in the last 12 months, reaching the 15,000 commercial customers milestone in record time.

October 20, 2021

Actian announced the general availability of its newly released DataConnect 12 integration platform, demonstrating a continued focus on ease of use for complex data integration and data quality.

October 20, 2021

Salt Security announced new capabilities in its next-generation Salt Security API Protection Platform to secure GraphQL APIs.

October 20, 2021

vFunction announces the availability of the vFunction Application Transformation Engine and the expanded vFunction Modernization Platform, with new, advanced capabilities that enable enterprises to automatically assess, analyze, and manage the full modernization and migration process from start to finish.

October 20, 2021

Mage raised a $6.3 million seed round led by Gradient Ventures.

October 19, 2021

Couchbase announced its Couchbase Capella hosted Database-as-a-Service (DBaaS) offering on Amazon Web Services (AWS).

October 19, 2021

Checkmarx announced the launch of the Checkmarx Application Security Platform to help CISOs, AppSec teams, and developers address the growing and dynamic security challenges they face.

October 19, 2021

Tasktop announced Affinity Modeling for model-based integration in Tasktop Hub, helping Agile and DevOps software delivery teams reduce time to market and develop software faster.

October 19, 2021

Morpheus Data is continuing released version 5.3.3 targeted at enterprises trying to manage a complex mix of VMware, Kubernetes, and Public Cloud services.

October 19, 2021

Okta announced the availability of Okta Workflows as a standalone offering for all customers.

October 18, 2021

Red Hat announced a series of updates in its portfolio of developer tools and programs aimed at delivering greater productivity, security and scale for developers building applications on Red Hat OpenShift.