Forrester: Why APIs need zero-trust security

APIs today prove their value by driving new digital business revenue growth and transforming decades-old business models. Such APIs have also become a fast-growing threat vector and a nexus of what research group Forrester calls “API insecurity.” What the enterprise needs is to approach APIs from a zero-trust security paradigm.

Evidence of the rise of APIs in DevOps is plentiful, and IT managers have taken note. According to the second annual RapidAPI Developer survey, 58% of enterprise executives say participating in the API economy is a top priority. In some industries, this change is particularly dramatic. The RapidAPI survey indicates 89% of telecommunications executives, 75% of health care executives, and 62% of financial service executives prioritize competing in an API economy today.

Still, as real-time APIs displace traditional approaches to integration and development, it is important to work toward a zero-trust approach that does not rely on perimeter-based security methods.

Forrester’s recent API Insecurity: The Lurking Threat In Your Software report points out that protecting APIs with perimeter-based security fails to stop attacks’ increasing severity and sophistication. Moreover, APIs are an elusive moving target because they are vulnerable to a broader, more complex series of threats than web apps typically face.

API breaches, including those at Capital One, JustDial, T-Mobile, and elsewhere, continue to underscore how perimeter-based approaches to securing web applications aren’t scaling well for today’s APIs.

The Forrester report emphasizes that REST APIs provide direct access to transaction updates without requiring a web app and often stand without sufficient security. In one example cited, a single-page web app that combines APIs and AJAX using an endpoint security model was easily exposed to attackers.

Forrester recommends technical leaders and DevOps teams identify and catalog APIs and endpoints and verify public API security models and API user identities. APIs, including AJAX endpoints, need to adopt a zero-trust security framework now to reduce the risk of large-scale breaches in the future.

APIs start with zero-trust security

Given how pervasive APIs are today, organizations need an overarching API security strategy that scales to address compliance and security challenges while keeping business outcomes in balance. Zero-trust security can address those challenges and is needed to secure APIs throughout the software development lifecycle and into production.

The immediate payoff is that DevOps and security teams will know which APIs exist and which endpoints are secured. They’ll also discover rogue endpoints that put transaction updates and mass data updates at risk. Forrester points out that a glaring lack of endpoint visibility often turns into internal test endpoints deployed into production. Assigning least privileged access and microsegmentation across endpoints, even in internal tests, helps alleviate the risk of an API breach in the future.

The following recommendations illustrate how transitioning to a zero-trust security approach for securing APIs can reduce the threat of a breach:

• API governance needs zero trust to scale. Getting governance right sets the foundation for balancing business leaders’ needs for a continual stream of new innovative API and endpoint features with the need for compliance. Forrester’s report says “API design too easily centers on innovation and business benefits, overrunning critical considerations for security, privacy, and compliance such as default settings that make all transactions accessible.” The Forrester report says policies must ensure the right API-level trust is enabled for attack protection. That isn’t easy to do with a perimeter-based security framework. Primary goals need to be setting a security context for each API type and ensuring security channel zero-trust methods can scale.


• APIs need to be managed by least privileged access and microsegmentation in every phase of the SDLC and continuous integration/continuous delivery (CI/CD) Process. The well-documented SolarWinds attack is a stark reminder of how source code can be hacked and legitimate program executable files can be modified undetected and then invoked months after being installed on customer sites. If least privileged access and microsegmentation were in force by API and endpoint categories, DevOps could complete API security testing before, during, and after executable code deployments. The potential to catch a breach could be designed into the source code. The SDLC in many DevOps organizations would run more smoothly if a zero-trust framework were put in place before coding began, defining governance simply, clearly, and at scale. App security testing can’t continue to be treated as the bolt-on final task of the SDLC.


• Zero-trust security needs to be an integral part of API lifecycle management. The report states that API security management needs to extend beyond the API coding process itself. The authors explain: “whether your application is API-first, a classic client/server model, or a combination of both, follow the tried-and-true rules: Default deny, and don’t trust client-supplied data.” That advice defines the essence of a zero-trust security framework. Forrester also advises DevOps leaders to “authenticate everywhere; design explicit chains of trust as an integral part of API development and deployment pipelines.” This is basic to zero-trust security’s pledge to never trust, always verify, and continually enforce a least privileged access strategy.

Getting API governance right

As API-first integration strategies dominate enterprise software, replacing native adapters and direct database access, the need for zero-trust security is becoming more urgent. Relying on zero-trust security frameworks as the foundation for API governance helps remove roadblocks while alleviating the inherent conflicts between innovative design and compliance.

Getting API governance right brings greater scale, security, and speed to DevOps. With APIs an increasingly imposing threat vector, DevOps organizations need to move beyond treating security testing as an afterthought and instead make it integral to every phase of the SDLC. That will help alleviate the risk of an API breach.

The business benefits of APIs are real, as programmers employ them for speedy development and integration. But unsecured APIs present a keen application security challenge that cannot be ignored.