According to Akamai, approximately 83% of website traffic is API traffic. With such a high volume, exploits and data leakage are inevitable. Without shifting left, establishing effective practices and implementing repeatable frameworks for API security, organizations will continue to see large-scale breaches. One major telecom company in the U.S. was no exception.
After experiencing regular incidences of attempted attacks, the telecom was at risk of both PR and legal damage due to lax API security. Several issues were holding them back from a more rigorous approach:
- Ineffective implementation of well-understood practices.
- Limited API categorization and risk oversight.
- Lack of KPIs to support sustainable outcomes.
Concentrix Catalyst performed an assessment of the telecom’s current API practice to identify areas of improvement and provide a roadmap to more robust security practices.
While the client evidenced a high maturity in design standards and were able to achieve an accelerated release velocity, the telecom struggled with both breadth and granularity when it came to security. Their evaluation techniques were limited in scope, resulting in risks when it came to API security.
Catalyst instituted our proprietary 88-point evaluation protocol and conducted stress tests on thousands of APIs. The APIs were banded into risk levels and cataloged according to remediation priority, enabling us to immediately reduce the attack footprint by blocking a number of APIs that evidenced serious exposure. Catalyst also participated in security incidents related to anomaly traffic patterns, the client’s D2C mobile app and engaged in penetration testing and remediation.
Currently, Catalyst is working to extend the delivery pipeline through a CI/CD development model. Goals for the engagement include an entire automation workstream with automated checks, code inspection and API contract review. To best support the security of thousands of APIs, automation will be critical for the telecom moving forward.
As Apigee’s 2019 America’s Partner of the Year, we have a proven approach to enabling their API tools to create security at the edge. By implementing Apigee, we were able to better unlock the business value of the telecom’s portfolio of APIs. Apigee’s unique value add of easy API productization has directly improved the client’s agility and their cost savings.
Find out which of your APIs are at risk and what steps you can take to protect your company’s data.