Best Practices for Driving Greater API Security Through CNAPP

Threat actors are increasingly targeting APIs to exfiltrate sensitive data. Learn how a cloud-native application protection platform (CNAPP) can contextualize, prioritize, and remediate API threats.

Preetham Anand Naik, Senior Product Manager at Microsoft Defender for APIs

June 17, 2024

5 Min Read
Application Programming Interface (API) concept. Software development tool, information technology, and networking concept on dark blue background.
Chor Muang via iStock

In the ever-evolving world of cloud security, application programming interfaces (APIs) have emerged as a critical blindspot.

APIs act as the fundamental building blocks of modern application development, facilitating seamless integrations, information sharing and data exchange between different software applications, users, and systems. As such, they are integral to companies’ ability to deliver goods and services online. And their usage is only likely to grow. According to Gartner, more than 80% of enterprises will have used generative artificial intelligence (GenAI) APIs by 2026.

However, as rising cloud and mobile adoption, digital modernization, and AI increase the demand for APIs, threat actors are beginning to target APIs as a common threat vector to access and exfiltrate sensitive data.

A cloud-native application protection platform (CNAPP) is one solution companies can leverage to better secure vulnerable APIs -- offering more contextualized insights into API risks and alerts, shifting security further left into the development lifecycle, and accelerating security teams’ time to detection and remediation.

Why use CNAPP for API security?

At its core, CNAPP is designed to integrate multiple cloud security solutions under one umbrella and protect cloud-native applications and infrastructure from development to runtime. This offers several advantages for API security.

CNAPP unifies cloud security posture management (CSPM), multipipeline DevOps security, cloud workload protections, cloud infrastructure entitlement management (CIEM), cloud service network security (CSNS) amongst other capabilities into a single platform. In doing so, they’re able to correlate multiple layers of information to provide more contextualized insights for security teams. So rather than just identifying an API that is misconfigured or wrongfully exposed to the internet, CNAPPs can go a layer deeper by contextualizing what that vulnerability means for the organization’s risk posture. After all, an API that exposes harmless image files is far less risky than an API that exposes sensitive data or company secrets.

Similarly, CNAPPs can prioritize which API vulnerabilities need to be remediated first according to risk factors that are specific to your own infrastructure. As security practitioners struggle to surface relevant insights from the hundreds of security alerts they receive every day, this prioritization can be the difference between responding to a threat in real time or missing a critical alert, resulting in a breach. For CNAPPs that are equipped with generative AI supported by large and small language model interfaces, security practitioners can also accelerate their time to remediation with guided next steps.

CNAPPs also serve as an essential conduit between development and security teams, promoting the remediation of security assessments early in the development process. This is critical for API security, especially when you consider how quickly cloud-native applications are developed and pushed into runtime. Security teams often find themselves challenged to match accelerated development cycles. Thus, CNAPP provides a streamlined solution for reinforcing secure development practices -- providing better visibility into API security evaluations and driving better governance and proactive risk management throughout the application lifecycle.

Finally, CNAPPs drive greater visibility into development environments and can correlate DevOps security recommendations with contextual cloud security insights to prioritize remediation in code. Similarly, CNAPPs can be used to embed security into Infrastructure as Code (IaC) templates and container images to help minimize the risk of cloud misconfigurations reaching production environments. Once APIs are deployed in the runtime environment, they assist in mitigating risks by providing comprehensive visibility, posture insights and offer hardening recommendations to central security teams. This helps drive a more proactive API security posture.

4 best practices for securing APIs through CNAPP

When it comes to securing APIs through a CNAPP solution, there are a few best practices organizations should follow.

  1. Establish visibility into all APIs within your enterprise: When securing APIs through a CNAPP, the first step is to establish visibility into all APIs within your enterprise. This includes managed APIs as well as any unmanaged APIs that the security team might not know about. Unmanaged APIs are especially concerning given that they are likely not being updated with the latest identity and access controls or vulnerability patching.

  2. Assess your API security posture: Next, security teams should work to gain strong security insights on the APIs that are currently in runtime. Teams can assess their API security posture by using a CNAPP by scanning for possible misconfigurations, poor or missing authentication policies, unwanted internet exposure, and more importantly sensitive data exposure—which may require proactive mitigation and applying proper governance. Once APIs are in production, they are notorious for exposing data, so it’s also important to deploy robust data security controls through strong data classification and a defense-in-depth approach.

  3. Proactively test APIs before deployment: In addition to focusing on APIs in runtime, it’s also important to proactively assess API risks using static scans against API schemas and test of conformance of APIs before they are deployed to production. This allows security and developer teams to work together to address any potential vulnerabilities before the API is moved to runtime.

  4. Actively monitor APIs for new and unknown threats: Cybersecurity is always evolving, and new common vulnerabilities or exposure (CVEs) can be discovered at any time. That’s why organizations must continuously monitor APIs for new risks or active attacks. One of the most common API threats is a broken object-level authorization (BOLA). BOLA vulnerabilities in APIs enable attackers to gain access to objects with sensitive information that do not belong to them—for example, by manipulating object IDs or other API parameters.

As organizations continue to push the boundaries of digital innovation, API usage is only going to grow more prevalent. CNAPP will play a critical role in this cloud-enabled future, embedding security best practices earlier in the development lifecycle and driving more proactive, contextualized API security in runtime to ensure your data is protected both at rest and in transit.

Additional resources

To learn more about CNAPP and API security, explore the following additional resources:

About the Author(s)

Preetham Anand Naik

Senior Product Manager at Microsoft Defender for APIs, Microsoft Defender for APIs

Preetham Anand Naik is a Senior Product Manager at Microsoft Defender for APIs, Preetham is a dedicated cybersecurity professional with a profound passion for Cloud & API security. With a career devoted to bolstering digital ecosystems against evolving threats, Preetham brings extensive expertise to the forefront of the Microsoft Defender for Cloud Suite. Preetham also plays a pivotal role in enhancing the API and web application security posture of organizations in an ever-changing threat landscape.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights