A View from The C-Suite: The New CIS API Security Guide

Introduction

APIs have become critical to all of our daily functions from ordering food to booking services, travel apps, home functions such as water heating, and connected cars. Because they are used so widely across so many different industries, APIs are now one of the biggest targets in the digital world. 

In fact, API breaches are rising year over year too rapidly for developers and security teams to keep up. In the past year, we saw API breaches up over 80%. For more on this, download FireTail’s State of API Security 2024 report here.

Many individuals and organizations don’t even realize how many APIs they use, and even big companies are falling behind when it comes to API security. But with things changing so frequently, who can really blame them?

Part of the problem is a general lack of understanding around APIs and API security. Public knowledge of APIs is still limited and can result in lots of misinformation and missteps in security postures. 

For example, only paying attention to the OWASP Top Ten can be a fatal error. 

While the OWASP Top Ten highlights many of the most prevalent vulnerabilities affecting the current landscape, it can only address so much, even with the most recent update last year. Compliance regulations are starting to set in for various industries, yet customers often lack a good roadmap towards an API security initiative.

That’s where the CIS Guide for API Security comes in.

The CIS Guide for API Security

The team at FireTail talked with dozens of organizations around the world about their API security efforts, frustrations and limitations. 

One result of these conversations was recognizing a gap in the space, where organizations were looking for more prescriptive, easy-to-follow guidelines towards starting an API security initiative.

For that reason, FireTail partnered with the Center for Internet Security (CIS) to create an API security community, which you can join yourself, here.

The end result of this is the first draft of  The CIS API Security Guide, reviewed by cybersecurity experts from around the world before its release. The guide was announced at the BlackHat USA Conference in 2024. Please click here to watch a 20-minute presentation of the FireTail team announcing the initiative.

The CIS Guide for API security is designed to give teams a series of  actionable best practices and prescriptive guidance for their API security posture at every stage in the API lifecycle. As an API security platform, FireTail can also help organizations kickstart the process and provide out of the box CIS reporting to assist in implementing the necessary security measures.

The API Lifecycle

The CIS API Security Guide breaks the API lifecycle down into five distinct stages, and suggests actionable steps for security at each stage. In this section, we’ll go over the different development stages, the CIS Guide’s tips for each one, and how FireTail can help.

Design: In the design stage, analysis is key. 

The CIS Guide directs developers to analyze their designs to catch common flaws, such as unauthenticated endpoints and sequential integer numbering. It also advises that teams plan for appropriate access controls around authentication, authorization, and more.

FireTail helps developers generate API specifications from logs based in code.

Development: In the development stage, ensure that APIs have specifications.

The CIS Guide gives developers insight to protect APIs against vulnerabilities such as unscoped request parameters, unlimited constraints on inputs, and more.

FireTail continuously evaluates and improves your security posture during development with specification-based findings, CI/CD integration, remediation guidance, and more.

Deployment: In the deployment stage, test APIs from an external perspective.

The CIS Guide advises developers to check APIs for CVEs, accidental data exposures, fuzzing issues and more.

FireTail provides active testing and validation, SSL testing, CVE identification and more.

Operation: In the operation stage, it is critical to know about all your APIs in production.

The CIS Guide advises developers to log all their API traffic to a central location. Teams should monitor logs for threats, IoCs and abuse patterns.

FireTail normalizes your logs to provide centralized, unified logging and inline protection.

Decommission: In the decommission stage, ensure that decommissioned APIs stay that way. 

The CIS Guide warns that older versions of APIs might have unresolved vulnerabilities or business logic flaws that leave them open to data breaches. Take charge of your API security by staying on top of all your APIs- including those no longer in use.

FireTail can help you maintain visibility into your inventory to catch shadow IT, accidental re-deploys and match code repositories to production resources.

Other API security best practices

The CIS API Security Guide also gives more general guidance for developers’ API security at any stage in production.

Continuous monitoring: The CIS guide advocates for monitoring systems, networks, and applications regularly for all activity, malicious and normal.

Access control: The guide advises that teams implement strong authentication mechanisms, and closely manage privileged accounts.

Regular updates & patch management: When it comes to API security, keeping systems and patch processes up to date is essential.

Security configuration management: The CIS and FireTail advise all teams ensure systems are coded to best practices.

Incident response planning: Teams should regularly test an incident response plan in order to minimize the impact of security incidents.

User education and awareness: CISOs should teach teams about the importance of following CIS guidelines and other best security practices.

Conclusion

FireTail teamed up with the CIS to bring together a community of cybersecurity professionals, united around the need to create a comprehensive API security guide to help teams bolster their API security postures using the best practices from leading minds in the industry. 

FireTail and the CIS will continue to assess feedback and contributions from the API security community and other experts in the industry to add updates to the guide in future years. The Guide will likely expand, both as new API technologies are launched, new API security threats are identified, and as community members and contributors identify new opportunities to implement additional security best practices that benefit any organization looking to improve its API security.

No matter what part of the team you are- developer or CISO- or what stage of development- from design to production- API security is essential. The CIS API Security Guide can help you by providing actionable steps to taking charge of your API security today, such as continuous monitoring, regular updates, patch management, and more.

FireTail can help give you the tools you need to follow the New CIS API Security guide and improve your API security posture today. Try it out for free here!