Telecom solves data breach with API security
According to Akamai, approximately 83% of website traffic is API traffic. With such a high volume, exploits and data leakage are inevitable. Without shifting left, establishing effective practices and implementing repeatable frameworks for API security, organizations will continue to see large-scale breaches. One major telecom company in the U.S. was no exception.
After experiencing regular incidences of attempted attacks, the telecom was at risk of both PR and legal damage due to lax API security. Several issues were holding them back from a more rigorous approach:
- Ineffective implementation of well-understood practices.
- Limited API categorization and risk oversight.
- Lack of KPIs to support sustainable outcomes.
PK performed an assessment of the telecom’s current API practice to identify areas of improvement and provide a roadmap to more robust security practices.
While the client evidenced a high maturity in design standards and were able to achieve an accelerated release velocity, the telecom struggled with both breadth and granularity when it came to security. Their evaluation techniques were limited in scope, resulting in risks when it came to API security.
PK instituted our proprietary 88-point evaluation protocol and conducted stress tests on over 18,000 APIs. The APIs were banded into risk levels and cataloged according to remediation priority, enabling us to immediately reduce the attack footprint by blocking 30 APIs that evidenced serious exposure. PK also participated in security incidents related to anomaly traffic patterns, the client’s D2C mobile app and engaged in penetration testing and remediation.
Currently, PK is working to extend the delivery pipeline through a CI/CD development model. Goals for the engagement include an entire automation workstream with automated checks, code inspection and API contract review. To best support the security of 18,000 APIs, automation will be critical for the telecom moving forward.
As Apigee’s 2019 America’s Partner of the Year, we have a proven approach to enabling their API tools to create security at the edge. By implementing Apigee, we were able to better unlock the business value of the telecom’s portfolio of APIs. Apigee’s unique value add of easy API productization has directly improved the client’s agility and their cost savings.