Introducing API Security in Postman v10
Nearly every organization today uses APIs, and Postman’s 2022 State of the API report shows that 26% more collections and 32% more requests were created last year than in the previous year. These numbers are only expected to grow, with 89% of survey respondents anticipating their investment in APIs to increase or stay the same in the coming year.
The widespread adoption of APIs has created a significant blind spot when it comes to managing and securing APIs, and this trend is reflected in several other industry reports. For instance, a Gartner report indicates that API security has become a top concern for engineering leaders, as a significant portion of security incidents in 2021 were caused by insecure APIs. Additionally, 41% of respondents who were featured in a recent report by 451 Research acknowledged that they had faced security breaches via APIs in the past year. Another industry report highlights that 34% of respondents cite the lack of an API security strategy as a reason they are unprepared for API security attacks.
Using Postman to focus on API Security
As APIs emerge as a major surface area for attacks, it is increasingly important for organizations to invest in tooling to improve the security of their APIs. The Open Web Application Security Project now has a dedicated OWASP top 10 project for APIs (launched in 2019), which provides a framework for evaluating API security. With the launch of Postman v10, the Postman API Platform now includes new features, based on and extending the OWASP API top 10, to help you devise an API security initiative that can be adopted by security teams and developers alike. These new features enable organizations to provide clear security guidelines to developers on the same platform that they use to design, build, test, and deploy their APIs.
Security rules for your team
Postman now provides a list of configurable security rules for Postman Enterprise teams, which can be accessed from the Postman home page. These rules, which are based on the OWASP API top 10 rules, will help you get started with your API security initiative. You can choose the security rules you’d like enforced on API definitions and requests:
Postman enables a set of OWASP top 10 API security rules for your API definitions and requests by default. Admins in your Postman team can enable or disable these rules:
If none of the default security rules correspond to the security control you’d like to implement, you can define additional rules for API definitions according to Spectral guidelines and import them into the Postman API Platform:
Adding API Security to your existing workflows
Workspaces are where developers spend most of their time in Postman. With these new API Security features, developers don’t have to change systems, workflows, or tools to ensure they are following their organization’s prescribed security policies. Instead, the checks are incorporated into their existing development workflow, enabling them to be more productive and confident.
Security for API definitions
Collaborators who are designing APIs and working on API definitions need early feedback on their API’s security posture. With the Postman Enterprise plan, you can use the Rule violations tab to view each security violation, along with its severity.
Each security violation that corresponds to a default security rule also contains a reference to the Postman Learning Center, explaining the impact of the violation and possible ways to remedy it:
There might be cases in which some security rules are not necessary for specific APIs. For instance, APIs that facilitate certain business workflows might not need as strict security controls as APIs that interact with sensitive data. Postman solves this problem by enabling users to hide any security rule violation—and choose a reason for hiding it:
Once a violation is hidden, Postman will no longer highlight that violation for any future updates to the API. However, collaborators will still be able to see hidden violations by using the Review hidden violations link. If the API evolves to a point where a previously hidden violation needs to be enforced, you can unhide it from this list:
Security for API requests
The Postman API Platform also highlights security warnings for collection requests that deviate from the security rules configured for your team. You can access a list of these security warnings by switching to the Security tab in the API response section on Postman.
As with security rule violations for API definitions, each security warning is accompanied by a Postman Learning Center reference to help you get a head start in resolving the issue:
Some security rules that are broadly relevant are not necessary for a particular request, so security warnings for requests can also be hidden (just like security warnings for API definitions):
As with warnings for API definitions, any collaborators on the request can review and unhide the hidden warnings if the security needs of your collection change:
Integrating security validations with CI/CD
The workflows mentioned above help improve your security posture, but they’re only one part of the story. Even if your tooling is integrated into development, Postman warnings and violations might still be missed. We’ve solved this problem by making it easy for Enterprise teams to automate security rule checks for API definitions at the CI/CD build stage. To do so, configure Postman CLI for the respective API, and be sure to tick the Security and Governance rules box on the Configure Postman CLI page:
You can then add the snippet shown above to your CI/CD build configuration. Once you’ve completed this setup process, Postman CLI will check the API definition that corresponds to every CI/CD build against the security rules configured for your team.
After a build run occurs, you will also be able to see any security rule violations in Postman:
Postman integrates with your current API development workflows to help you increase security, but you need to measure success to verify improvements. For instance, top-down reporting is necessary to identify key insights, such as:
- Are the configured security rules being enforced effectively?
- What are the different problem areas in an API’s security posture?
- Which APIs or security concerns need to be tackled first?
This information is important for engineering and business leaders to improve their API landscape. Reports provided to Postman Enterprise teams are well-positioned to serve this need, and we have planned upcoming feature releases for additional support.
The Postman API Platform provides a way for organizations to implement a comprehensive API security policy. You can choose to start with the set of rules that Postman provides, or add your own proprietary rules. Check out the Postman Security public workspace for more resources around securing your API lifecycle and building better and more secure APIs. As always, feel free to share your thoughts on this topic in the comments below.
Sign up here for early access to API Security, or schedule a time with us to learn more. If your organization is interested in learning more about how to adopt Postman enterprise-wide, talk to our sales team.
What do you think about this topic? Tell us in a comment below.