Securing Open-Source Apps with API Scans and Observability
Businesses building applications have always made great use of open-source software. The move to cloud-native applications, use of low code development, and embracement of composable architectures have made open-source use even more pervasive. As such, businesses need a way to ensure the composite apps are reliable, perform well, and meet robust security requirements.
Testing and ensuring that open-source applications have these enterprise-class characteristics requires a shift in thinking. Traditional tools often only evaluate characteristics of specific programs, or produce so much telemetric, log, and traces that it is hard to spot problems. Compounding the difficulties with traditional approaches is the fact that modern apps, which are frequently built by connecting loosely-coupled elements, mask interdependencies that might lead to performance or security problems.
Start with API scanning and discovery
Modern businesses are operating in an API-centric world. Whether using microservices, composable elements, or low-code platforms, open-source applications are built by exposing data and processes to other elements via APIs.
One problem is that in the past, APIs were designed so that applications and application components could communicate with each other over a secure private (company-owned and managed) network. Now, the trend is to make company-built applications and services available via APIs to third parties (e.g., customers, partners, and suppliers) over public networks.
Subsequently, the APIs offer outsiders a direct entry point to a company’s applications and data if they are not properly secured. While it may seem a straightforward matter to simply secure all APIs, problems can easily arise. First, companies are likely dealing with hundreds or thousands of different APIs, all developed over many years. Each was built with a specific purpose in mind, and each was secured for the environment in which it was intended to run. Using the same APIs in open environments on public networks opens up different security issues.
The best way to keep on top of matters is for a company to first know what it is dealing with. That can be accomplished by using tools or a solution that discovers all APIs in a complex distributed application. Next, developers need insights into how those APIs are working. They must routinely conduct API scans at every stage of an open-source application’s development lifecycle. So, a suitable solution will both help discover APIs, know when they change and provide insights into which services talk to each other.
Gaining insights into API interactions
Developers and IT staff have relied on monitoring for years as a common way to deal with application performance and security problems. However, monitoring can sometimes be a bit passive for modern business environments.
When employing monitoring, DevOps collects and analyzes data to keep applications running smoothly. Monitoring basically finds problems after they have happened. In a typical setup, a monitoring solution would send alerts when a problem has occurred. For example, when an application passes a low-performance threshold or there is suspicious activity such as a large volume of data being shared.
In contrast, observability uses logs, metrics, and distributed traces collected by monitoring an application to help understand what is happening. Observability focuses more on understanding why problems occur versus monitoring, which identifies the existence of the problems.
Observability solutions most often use sophisticated analytics and, in some cases, artificial intelligence to make inferences about the data they collect. Ideally, an observability solution for open-source applications would help explain what’s happening within the system and offer actionable insights to maintain or improve the application’s performance or security.
Another prong in the arsenal to help bulletproof open-source applications is traceability, a critical part of observability. And specifically, what’s needed is distributed tracing, which is a way to monitor applications. Distributed tracing lets DevOps follow the results of transactions or requests as they work their way through an application’s elements.
An ideal solution would enable distributed tracing that collects all application communications across API gateways, load balancers, proxies, Kubernetes clusters, service meshes, VM’s, and containers, and within application components too. Such capabilities can significantly reduce the time IT or DevOps spends troubleshooting issues within applications and systems.
An API-centric approach to open-source app security
In today’s API-centric open-source application world, developers need to understand how the various elements of their applications work together. From a security aspect, that means focusing on the APIs themselves. What’s needed is a solution that helps a developer discover all APIs, including shadow APIs. Such information can help developers be aware of changes and risks. And ideally, developers will use this knowledge of the treats in their applications to improve code and API security.