Getty Images

'Shift left' doesn't complete DevSecOps story for fintech

An online banking SaaS company trained its developers to code securely, but API security also required "shifting right" to bolster production-level monitoring tools and training.

First, there was DevOps. Then there was DevSecOps and "shifting left." But as API security becomes a growing concern, some companies are shifting back to the right again.

This talk of "left" and "right" refers to the typical software delivery lifecycle diagram. It's usually portrayed as a left-to-right, linear process that begins with software product design requirements, and traverses the process of coding and building software, and then deploying it to production infrastructure.

Ideally, this process also includes a feedback loop from production back to developers and designers to direct future updates and join the left and right sides of the workflow together. But in practice, whether it was during Agile and continuous delivery adoption or the more recent trend of injecting security principles into the early stages of software delivery, the initial focus has often been on the left side of that diagram, where developers design applications and write code, also known as "shifting left."

In the meantime, however, the production infrastructure at the right side of the archetypal software delivery diagram, where applications ultimately live, has undergone changes in the last 10 years just as seismic as Agile and DevOps. Here, monolithic apps running on bare metal or virtual servers have given way to microservices and ever-higher levels of software-based abstraction between application developers and infrastructure hardware.

One type of abstraction, the application program interface (API), has become the focus of inter- and intraorganization collaboration between teams of developers as DevOps and microservices mature. APIs act as a kind of door to individual digital services, through which other services and application developers can access data. Many cloud-based DevOps shops have shifted to "API-first" architectures to embrace this trend, orienting application design around communication through APIs.

David Biesack, ApitureDavid Biesack

"By building on APIs, we're also allowing partners and the financial institutions to create their own experiences, so they can create their own applications as well," said David Biesack, chief API officer at Apiture, an online banking SaaS provider based in Wilmington, N.C.

APIs form the backbone of Apiture's internal developer portal, and about 25 APIs are used in its customer-facing environments. In some cases, APIs make data in both systems easier to access to answer customer questions.

"We had a request from one of our customers: They wanted to know who are all the developers, or all the people at their organization who have registered on the developer portal, and which ones of those have requested API keys," Biesack said. "I was able to just write a quick script that would just hit the APIs and generate that data ... directly ... I don't have to go to the back-end database to do those types of queries."

API security presents unique challenges

API-first design is relatively new, which means it presents novel complexities for security architects that attackers can take advantage of. It's also exploding in popular usage, which also attracts bad actors -- Gartner analysts reported a 30% surge in customer inquiries relating to API security this year. An anonymized analysis of customer data for the first six months of 2021 by vendor Salt Security found that overall API traffic increased 141%, and in the same time period, API attack traffic grew 348%.

This adjustment to API-driven development has shifted the security spotlight at Apiture away from software code and back to the "right," toward production infrastructure again, Biesack said.

What are the unknown unknowns in API security? ... We were looking for someone who can go beyond the things that we could prepare for.
David BiesackChief API Officer, Apiture

"We're well versed in the OWASP Top Ten and the OWASP API Security Top Ten -- we know how to code for things like that, code against code injection attacks, and various other types of attacks that are pretty well known," Biesack said. "What we were looking for ... was, what are the unknown unknowns in API security? ... We were looking for someone who can go beyond the things that we could prepare for."

Apiture engaged Salt Security for a proof-of-concept evaluation in late 2020, and chose to purchase the vendor's API Protection Platform in early 2021. The product gathers API data from outside the path of API calls, through mechanisms such as AWS CloudWatch logs and network traffic analysis. On the back end, the platform reconstructs a copy of a customer's API traffic and analyzes it for unusual API user behavior with machine learning algorithms. Anomalies that indicate an API security vulnerability or ongoing attack will trigger alerts and attack-blocking responses from the Salt tool.

Biesack said he chose to go with Salt Security over competitors, which included API WAF vendor Spherical Defense, because the vendor's support staff engaged well with his IT team, but also because Salt Security uncovered a security vulnerability in a test environment early on.

"A big selling point was its ability to learn quickly on sample data," Biesack said. "We turned on Salt in a couple environments and [it] basically collected traffic for a week, started performing analysis on it, and actually found a vulnerability [in] something that was more of an edge case, it wasn't something that would that fit well into the OWASP security [model]."

Salt competes with several emerging vendors in the growing API security space, including Traceable Inc., 42Crunch, CloudVector (acquired by Imperva in May), and Imvision. Established IT vendors such as Cisco are developing new API security products as well.

Many of these products also use machine learning and artificial intelligence to identify abnormal, potentially malicious API user behavior the first time it appears, rather than rely on known attack signatures used by conventional security monitoring tools.

Apiture balances 'right,' 'left,' automation with dev training

A renewed focus on API security monitoring in production doesn't mean Apiture has forgotten about its "shift left" DevSecOps practices, Biesack said. Analysis from the Salt Security tool also informs the earlier stages of the DevOps workflow.

"I work with our product team ... to make sure that when they define a product feature, [they] include software security elements," Biesack said. "Knowing that Salt can highlight possible exposures helps us with understanding where [sensitive] data needs to be managed, encrypted and secured."

Developer training is another growing part of Biesack's API security program, and he also uses Salt Security data to provide feedback to developers during internal security hackathons.

"At the beginning of 2021, we instituted an internal hackathon where ... we just tell our engineering staff, 'Okay, we're not developing new features at this time, we're not debugging -- we're going to take 24 hours and just hack the system,'" Biesack said. "'Put yourself in the mindset of a hacker and try to see if you can find any additional vulnerabilities in the software.'"

Biesack wants to add further training resources for developers around cybersecurity in 2022, he said.

"We're evaluating external training partners to do more regular training with our engineering staff on API security and security vulnerabilities in general," he said. "I've done training internally ... but we're looking for a little bit more structured way of doing that."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration