UPDATED 14:39 EDT / JULY 28 2022

SECURITY

Developers and APIs are the heroes of digital transformation, says Noname Security

The base of enterprise computing is shifting dramatically, driven by soaring cloud adoption and demand for distributed systems. In addition, the developers and application programming interface economy now dictate the pace of digital transformation.

As security teams feel the added pressure to deliver in obscure cloud-native environments, capabilities around security need to conform accordingly, according to Karl Mattson (pictured), chief information security officer at Noname Security.

“The story of developers and API is one of becoming the hero — the hero of digital transformation and public cloud adoption,” he said. “And so this is becoming much more of a developer-centric discussion about where we’re moving our applications, where they’re hosted, and how they’re designed. And so there’s a lot of energy around that right now.”

Mattson spoke with theCUBE industry analyst John Furrier at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how companies are grappling with the new swathe of cybersecurity challenges being posed by today’s cloud-native and open-source demands. (* Disclosure below.)

Securing APIs across their entire life cycle

While APIs have been around for the better part of a decade, there’s been a seismic shift in how they’re deployed, according to Mattson. Today, enterprises write atop public-facing interfaces when, initially, there used to be a more behind-the-scenes approach to deployment.

Noname focuses on API security and, in doing so, sees them basically as software endpoints that must be secured across their entire life cycle, just like any other.

“It needs to be designed well, with secure coding standards for APIs, and tested well,” Mattson explained. “It also has to be deployed into production, configured well and operated well. And when there’s a misuse or an attack in progress, we have to be able to protect and identify the risks to that API in production. So when you add that up, we’re looking at a full life cycle view of it.”

APIs are a major underpinning of the modern cloud in itself, and a growth driver for cloud benefits like performance and scalability. Thus, it’s imperative to employ best practices and innovate on better securing them, Mattson added.

In evolving the contemporary approaches to executing API security, one of the things teams need to do is look beyond just the source code, according to Mattson.

“Certainly, the quality of the source code of API is step one. But what we see in practice is most of the publicly known API compromises weren’t because of bad source code, but because of network misconfiguration or the misapplication of policy during runtime,” he stated.

Noname’s primary focus is dealing with the discrepancies of this kind that crop up, starting from the design stage itself.

“What we add to the conversation on API security is helping fill all those little gaps, from design and testing through production, so we can see all of the moving parts in the context of the API to see how it can be exploited,” Mattson said.

Applying machine learning to API security

Noname’s API security platform can be broadly broken down into three functional areas: API code testing, posture management and threat defense.

“[Threat defense] is identifying the inherent risk exposure of an API,” Mattson said. “A great example of that would be an API that is addressable by internal systems and external systems at the same time.”

Rather than completely supplant them, API management gateways essentially augment defense systems, like web application firewalls, or WAFs, for when they’re on downtime or incapable of handling certain risk types.

“There are attack types within business logic, in particular, of things like authentication policy that a WAF is not going to be able to see. So the WAF and the API management plan are the key control points, and we can help make those better,” Mattson explained.

No two APIs are exactly the same, and so technologies like machine learning are crucial to understanding how individual APIs behave independently of each other, especially from a request and response standpoint, Mattson pointed out.

“We apply a machine learning model to each and every API independently for itself, because we want to learn how that API is supposed to behave,” he said. “Where is it supposed to be talking? What kind of data is it supposed to be trafficking in all its facets? That way, we can model that activity and then identify the anomaly where there’s a misuse.”

Mattson will provide more security analysis during the upcoming AWS Startup Showcase event, airing on Sept. 7.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:

(* Disclosure: Noname Security sponsored this segment of theCUBE. Neither Noname nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU