API Security for DevSecOps

Akamai acquired Noname Security in June 2024. The Noname Security product is now Akamai API Security, but this archived blog post that was originally published on September 29, 2022 reflects the product and feature names on the original date of publication.

DevSecOps is a variant of DevOps (development and operations) that adds security to the software development workflow. The security of application programming interfaces (APIs) must be part of DevSecOps.

This blog post explores how DevSecOps works and the role that API security plays in making the applications that get developed following DevSecOps processes as secure as possible.

To understand what DevSecOps is about, it’s first necessary to have a firm grasp on DevOps, the original paradigm on which DevSecOps piggybacks. DevOps refers to the combination of two previously separate processes: software development (dev) and IT operations (ops). Traditionally, developers wrote code and handed it off to IT ops for deployment into production. This worked fine in the era of waterfall-style development when it took months, or even years, to complete a new version of an application.

With the advent of agile development methodologies and continuous integration/continuous deployment (CI/CD) of code, the old dev/ops split was no longer viable. New code was being given to ops on a daily, if not hourly, basis to be released.

The only way to get anything done without courting disaster was to unify the dev and ops workflows. The combined processes required a combined team.

In the new DevOps landscape, developers and operations people collaborate to rapidly release code into production. This was not a natural partnership; if anything, relationships between dev and ops teams tended to be strained, with a “throw it over the wall” (and legacy) mindset that got in the way of productivity. DevOps changed this dynamic by introducing a shared responsibility model.

As cyberthreats grew more serious, it made sense that security became part of the DevOps workflow. Thus, DevOps became DevSecOps. This was another smoothing of what had sometimes been a strained relationship, with security often seen as a “traffic cop” that decelerated the development process. DevSecOps represents a new way of working together. Security is now an enabler of faster — but more secure — development cycles.

Achieving success in DevSecOps is not a simple proposition. It involves the choreography of multiple teams and workflows, each in pursuit of its own goals. Getting the intricate orchestration of people and processes in DevSecOps to work requires a careful blend of tooling and processes. Technology has to support both sides and meet in the middle by making concessions on the process. This includes leadership.

To succeed with  DevSecOps, the security team has to adjust how they test to match the new CI/CD world. In turn, DevOps teams need to treat security issues with at least the same rigor as they treat functional issues. Indeed, less mature programs have security issues that grow old and die in the backlog. Success further requires a shift-left strategy that places the security work at the earliest possible point in the DevOps workflow.

Securing APIs in DevSecOps requires API security testing during development and API monitoring once APIs are in production. API security testing is comparable with other forms of security testing in DevSecOps, but with some notable differences. For example, while static testing may be useful for discovering vulnerabilities in code, it is not effective at identifying all API vulnerabilities.

Instead, API security testing for DevSecOps should focus on running black box–types of tests using business logic. This approach reveals how APIs will actually work when the application is deployed.

API security testing tools like Noname Active Testing can execute tests of this kind. It can detect vulnerabilities highlighted in the Open Web Application Security Project (OWASP) API Security Top 10 risks, such as Broken Object Level Authorization, unrestricted resource consumption, security misconfigurations, improper inventory management, and more. If these vulnerabilities are present and unmitigated, a malicious actor who attacks the API can gain unauthorized access to sensitive data.

Noname Active Testing integrates into the CI/CD pipeline because of the highly configurable test suites it supports. It also enables a shift-left style of testing with built-in integrations for multiple CI/CD systems. Between these two factors, the tool makes it possible to put the “Sec” into DevSecOps with regard to APIs. CI/CD integration is essential, as it enables the continuous, rapid API security testing needed to keep modern applications secure.

API security for DevSecOps does not stop with development. The best practice is to continue the API security process into production. By monitoring APIs in production, the “Sec” part of DevSecOps can detect APIs that have slipped into a state of vulnerability; for example, by being reconfigured or misconfigured by an admin during production. Once detected, the API vulnerability can be remediated as part of the DevSecOps workflow.

DevSecOps can be challenging to implement. It requires a lot of people and processes to be well-aligned so everyone and everything can move along at a brisk pace. API security has the potential to complicate DevSecOps and disrupt its smooth operation. However, API security testing is critical for the development of secure applications. To make API security work well with DevSecOps, it is necessary to use specialized API security testing and monitoring tools.