ICYMI: Get caught up on Part I and Part II
PART 3: Implementing a more reliable, strategic approach to API Remediation
Given the priorities of the software development team and the constant pressure they face to generate new code, placing the burden of API remediation completely on their shoulders may not move the needle in a significant way. The remediation work will always be competing with development.
On the other hand, with the right amount of support, oversight, and planning, the remediation workload can be prioritized and spread out over a period of time that balances both risk and cost that can then be replicated across multiple development teams.
To achieve the necessary level of collaboration, it has proven beneficial to establish a central, organized program effort over an ad-hoc one.
The Program Office
A program ties together all related work, making a program office a collective set of resources designed to facilitate this work. The program office contains individuals with a diverse set of skills and backgrounds that can be called upon at various stages of the program lifecycle.
With representation from major stakeholders, the program office would be in a position to define standards, set goals and assign tasks around API Remediation.
The office would also become the focal point for communication and collaboration efforts.
It is worth noting that resources from each department will not need to be assigned a full time responsibility towards this effort.
Given a RACI matrix (Responsible, Accountable, Consulted or Informed), most stakeholders will not be given specific responsibilities, but instead will be informed or consulted on the tasks at hand.
Stakeholders
CISO
Defines strategy and ensures the strategy aligns with the organization's goals; works with stakeholders to implement this strategy
CIO
Collaborates with executive leadership to set standards and goals; communicates objectives across the organization
Software Engineering
Implements keys security controls; implements standards; maintains performance; maintains backlogs and sets priorities
Cybersecurity and Risk Teams
Works with the CISO to implement cybersecurity monitoring capabilities; develops a reporting structure to identify risk; develops standards
Infrastructure & Operations
Supports site reliability engineering efforts; maintains configuration standards; develops a hybrid-cloud support capability
Enterprise Architecture
Defines and manages the enterprise architecture; ensures the use of information technology fits the organization's goals
The Need For: Command and Control
A Program Office enables the organization to do two things: first, reduce the threat caused by unsecured APIs, and second, implement controls and oversight mechanisms to prevent similar situations from reoccurring in the future.
The command and control capability should have three core components: definition, transparency, and operational support.
Definition
The success of the program office is based on the attainment of realistic goals coupled with the appropriate amount of executive sponsorship. The command and control structure must operate within this mandate and therefore rely on the definition of these goals, the identification of key metrics, and clearly defined roles and responsibilities.
In addition, the program office will be responsible for defining standards that will be required to classify APIs according to risk, quality, usage and type. From a planning perspective, the program office will be responsible for defining and communicating key deadlines and milestones.
Transparency
Another important function of the program office is to provide the organization with the necessary transparency and insight into the current state of the overall remediation effort. To create real transparency, the program office should be able to provide the following:
A single inventory of all of the APIs that fall within scope of this effort
Executive, summary-level dashboards that provide insight into the current state, and display progress towards the organization's goals, broken down by owner and department
Department level dashboards
Survey, classification and assessment progress dashboards
Troubleshooting and administrative dashboards
Daily tracking and aging reports that show the classification efforts for all new APIs
Detailed API Report Cards
Current program office backlog
The capture and identification of shadow APIs
Integration with the broader ecosystem (platforms such as gateways, log analytics, project tracking systems, etc.)
Operational Support
Given the scale and potential impact of the effort, it is critical that the program office provide a high degree of operational support. Implementing process change requires a high degree of planning, guidance and transparency.
Effective communication is also vital. The program office will need to conduct ongoing outreach campaigns and often need to communicate directly with individual stakeholders.
Those impacted or involved with this effort will need a central place to go for information. It will be the responsibility of the program office to educate the organization on where to go to find information and to keep this information up-to-date.
Lastly, from a helpdesk perspective, techniques such as office hours and periodic training events will need to be conducted.
The Need For: Central Data Platform
The data required to support the remediation effort will likely come from multiple, disconnected systems. Data will need to be collected from these systems and stored in a central repository on an ongoing basis.
There will be data assets that are manipulated manually, often in a side database or a spreadsheet. These critical data assets will need to be brought in and managed alongside the operational data as the use of these ad-hoc approaches can have a detrimental effect on transparency and data confidence.
Platform Requirements
Leverages a flexible data model as reporting needs may change over time. Rigid, table-based approaches are not recommended
Can extract data from core systems in an automated fashion and map the inbound data to a central data model
Must account for poor quality data and therefore must support efforts to remediate quality issues
Must have a frontend that supports data collection. Surveys, feedback, status updates, attestation efforts will require a user to fill out a form
Must be able to blend data from multiple systems that may not have a common key
Must support interactive dashboards and visualizations that a) do not require per-user licenses and b) must support forms
Platform Architecture
Recommendations
Depending on the scope and scale of an organization's API environment, implementing a more strategic approach to API Remediation by way of a Program Office may be a logical, sensible next step given the current circumstances around API Security vulnerabilities.
How to determine whether a program is right for your organization?
When your organization supports a large number of APIs and a large amount of legacy code, it's likely that a significant amount of API vulnerabilities exist under these conditions and may continue to grow in number.
If your organization has a limited amount of resources they can fully dedicate to the remediation effort. Working with a third-party can help fill these potential skill gaps, providing the necessary resources to staff the remediation effort. A team of experts actively work alongside the organization to help accelerate the remediation process, and can be scaled up or down as needed.
When your organization already has a program in place - especially one generated internally. In this instance, it would be beneficial to have a second set of resources on hand to accelerate and improve the effort further.
When time is of the essence. Failing to act quickly and efficiently can create significant cost of inaction, including immediate and longtail financial losses, loss of productivity, reputation damage, legal liability, and business continuity problems.
Security is an ongoing process. As the API-Economy grows, API remediation will remain a critical effort in lowering overall cybersecurity risk. Contact us for an introductory call to learn whether ReactFirst is the right move for your organization.
Introducing ReactFirst: Security for the new API Economy and the pace of modern business. ReactFirst is an award-winning, comprehensive API threat remediation solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities. Learn more at reactfirst.io