Essential Steps to Building a Robust API Security ProgramGartner's Dionisio Zumerle on API Security Challenges, Risk Assessments and Trends
In the past year, several high-profile breaches resulting from API attacks are "just the tip of the iceberg," said analyst Dionisio Zumerle, vice president at Gartner. Many companies - including banks, which now have about 1 billion API calls a month for money transfer apps - are highly dependent on APIs, he said.
See Also: LIVE Webinar | Hackers Don't Back Down, So You Need to Back Up: Data Security's Hardest Truths
"What we have is a new way of exchanging information which is increasingly popular, and almost no organization has the recipe to secure that new way of communicating," he said. "The very first thing to do when you set up an API security project is to set, define and communicate the scope of the program and set expectations properly," he said.
Zumerle emphasized the importance of "good design from the start," for which he recommends threat modeling. "That allows you to identify possible exposures and decide the mitigations that you can put in place," he said. Deploying tools that "find, assess and monitor" APIs is essential.
On current API security innovation trends, Zumerle said, "There is a lot of overlap between newer API protection startups, what incumbent web application and API protection tools offer and also a newer category, another buzzword: cloud-native application protection platforms." He believes there are merits in all of those approaches but expects consolidation in the market.
In this video interview with Information Security Media Group, Zumerle discusses:
- Organizational and technical API security challenges businesses face;
- Practical steps security and risk management leaders can take to protect their APIs;
- API security technology innovation to watch in the year ahead.
Zumerle, who is currently focused on application and mobile security topics, covers API security, mobile application security, DevSecOps and mobile threat defense for Gartner. His research interests also include emerging technology areas, such as application security posture management, and broader trends, such as the consolidation of cybersecurity platforms.