Category: API Security

By Holger Schulze, Cybersecurity Insiders

As the proliferation of APIs continues unabated, the importance of robust API security measures cannot be overstated. In a recent interview, Richard Bird, Chief Security Officer at Traceable AI, offered valuable insights into the increasing risks associated with APIs and how companies can defend against these threats.

The Escalating API Security Challenge

In Bird’s view, the rise of APIs, and with them, the security risk exposure, is linked to a number of factors. Firstly, the digital transformation efforts of organizations have led to the widespread adoption of APIs to enable seamless interactions between different software applications. This, coupled with the increasing use of cloud services and microservices architectures, has led to an explosion in the number of APIs in recent years, thereby significantly expanding the attack surface for potential cyber threats. At the same time, APIs have in the past not received the same attention from security teams and product vendors as other aspects of IT environments, leaving APIs vulnerable to innovative attacks.

Types of API Attacks

APIs, by nature, expose application functionality and data, which makes them an enticing target for cyber attackers. Several types of attacks target APIs, including:

  1. Injection Attacks: These occur when an attacker sends malicious data as part of a command or query, tricking the interpreter into executing unintended commands or accessing unauthorized data. SQL Injection is a notable example of this type.
  2. Broken Authentication: APIs that don’t properly enforce authentication can allow attackers to impersonate other users or even gain administrative privileges.
  3. Sensitive Data Exposure: APIs may inadvertently expose sensitive information like personal identifiers, financial information, or security credentials, which can be exploited by attackers.
  4. Security Misconfiguration: Poorly configured security settings for APIs can leave them vulnerable to attackers who can exploit the defaults left in place.
  5. Mass Assignment: APIs that bind client-provided data (like JSON request payloads) directly to data models may inadvertently expose any properties not explicitly listed in a binding exclusion list.
  6. Broken Access Control: APIs must properly validate users’ permissions before granting them access to data. Failure to do so can allow unauthorized access to sensitive data.
  7. Server-Side Request Forgery (SSRF): These attacks trick the server into making requests it didn’t intend to, possibly bypassing access controls and gaining access to internal resources.

Each of these attacks presents a significant threat to APIs and the applications and data behind them, and it’s essential for organizations to use a robust API security solution, like Traceable AI, to protect against these common API vulnerabilities and threat vectors.

The Impact of API Attacks

The consequences of API attacks can be severe. From data breaches to service disruptions, the impact on an organization’s reputation, operations, and bottom line can be significant. As Richard Bird pointedly noted, “When APIs are attacked, it’s not just about data being lost. It’s about trust being eroded, it’s about operations being hindered.”

The Limitations of Traditional Security Tools

Traditional security tools and techniques often fall short in protecting against API attacks, primarily because they were not designed to deal with the unique challenges that APIs present. In many instances, these tools lack the necessary visibility into API-related traffic and cannot adequately track or analyze API behavior. This leaves organizations vulnerable to attacks.

Stopping API Attacks with Traceable AI

In the complex and continuously evolving landscape of API security, solutions like Traceable AI stand out. This platform combines end-to-end distributed tracing, cloud-native integrations, and advanced machine learning-driven behavioral analytics to deliver API and application security from user to code. Furthermore, it offers robust protection capabilities, with automatic detection and blocking of both known and unknown API attacks.

One notable feature of Traceable AI is its dynamic API catalog. This provides automatic and continuous API discovery, giving security teams comprehensive visibility of all APIs, sensitive data, and risk posture, even in rapidly changing environments. Coupled with real-time topology maps showing API flows and interconnectivity between services, businesses are offered accurate insights into actual application usage and infrastructure vulnerabilities.

API Security Testing for Proactive Threat Mitigation

Beyond protection, Traceable AI is designed for proactive threat mitigation. Its API Security Testing (AST) enables businesses to test their APIs against various vulnerabilities and security gaps before deployment in a production environment. This not only helps in prioritizing threats but also aids in building resilient systems.

Navigating the Complexities of API Security

With API attacks becoming increasingly sophisticated, it is paramount for organizations to have a deep understanding of their API environment and the potential vulnerabilities that exist. Traceable AI provides this understanding through a range of features designed to provide in-depth visibility, protection, and testing. As Bird summarized, “Traceable AI is focused on providing customers with the visibility and control they need to manage their APIs effectively and protect their digital assets.”

Best Practices for Robust API Protection

To help organizations strengthen their defenses, here are best practices for enhancing API security, incorporating the effective use of API security platforms such as Traceable.

  • API Security by Design: It is essential to integrate security from the initial stages of API design and development. This includes defining proper authorization and authentication protocols, ensuring data validation, and incorporating the least privilege principle.
  • Inventory APIs: To mitigate the risk of unsecured APIs, it’s essential to have a complete inventory of all the APIs deployed in your organization. This includes knowing what they do, who has access to them, and how they interact with other elements in your system. Automated platforms can assist in this task, offering tools for automatic and continuous API discovery, providing comprehensive visibility into your API landscape.
  • API Monitoring and Anomaly Detection: Use AI-powered tools to monitor API usage continually. These tools can identify unusual patterns and potential threats based on machine learning algorithms. This proactive monitoring is key to preventing attacks before they cause damage.
  • Encryption and Data Protection: Encrypt all data in transit using HTTPS to maintain data confidentiality and integrity. Additionally, validate all data passing through your APIs to prevent injections and data leaks.
  • Regular Security Testing: Conduct regular security testing, including vulnerability assessments and penetration testing. Platforms like Traceable offer API Security Testing (AST) features that can test your APIs against various vulnerabilities and security gaps before deployment.
  • Rate Limiting and DoS Protection: Implement rate limiting to prevent Denial of Service (DoS) attacks or brute force attempts on your APIs. Tools like Traceable also offer DDoS protection by rate-limiting the number of requests to your APIs.
  • Continuous Training and Education: Regularly update your teams on the best practices in API security. It’s essential to stay informed about the latest security risks and how to avoid them. Empower your development and security teams with the knowledge they need to build secure APIs from the ground up.

Conclusion

API security is a complex and evolving challenge that requires a sophisticated and adaptable approach. The insights shared by Richard Bird underline the importance of adopting advanced solutions like Traceable AI that can provide comprehensive visibility, robust protection, and proactive testing capabilities. As the number of APIs continues to grow, so too does the need for effective API security measures. Organizations that take the time and resources to understand and address this risk will be better positioned to protect their operations and maintain the trust of their customers in the digital age.

The post Advancing API Security: An Interview with Richard Bird of Traceable AI appeared first on Cybersecurity Insiders.

Cequence Security is pioneering innovation in the API security space, and Subbu Iyer, the company’s VP of Product Management, provided a comprehensive understanding of the company’s approach during a recent conversation. His insights offer a fresh perspective on how organizations can safeguard their API footprint against increasingly sophisticated cyber threats.

Understanding the API Security Lifecycle

API security is not a singular problem, but rather a spectrum of concerns that span the entire API security lifecycle. In most cases, organizations begin by addressing immediate pain points such as threat protection, often following an experienced attack, and then gradually move towards a more comprehensive API security posture.

In Cequence’s model, this is a common use case, especially if an organization realizes that it is under attack and wants to put in immediate defense mechanisms to protect their assets. When an organization is under attack, immediate action is necessary to protect APIs. This is achieved by first detecting and then mitigating the threat by using Cequence’s API Spartan. Next, customers typically focus on ensuring API compliance with security best practices, for example by using Cequence’s compliance solution, API Sentinel. The final phase is then the discovery of all APIs using API Spyder, a solution provided by Cequence – putting together all critical puzzle pieces of robust API security in one unified platform.

Organizations may move their focus either from left to right along the API security lifecycle (from API discovery to threat protection) or the other way around based on their immediate needs. For instance, an organization may first plug an immediate gap in threat protection and then focus on compliance and discovery for robust API security hygiene.

What makes Cequence’s approach unique is its holistic attention to every aspect of the API protection lifecycle we just outlined. In the threat protection phase, Cequence provides native protection against malicious traffic. Unlike competitors who merely identify bad activity on an API and then push out IP addresses to a customer’s Web Application Firewall (WAF), Cequence’s solution offers more efficient and robust protection.

When it comes to compliance, Subbu described how Cequence utilizes innovative technologies like generative AI to make the security leaders’ lives easier and to reduce manual tasks.

The discovery phase is where Cequence truly distinguishes itself. Subbu pointed out that Cequence is the only vendor that specializes in ‘outside-in’ discovery. The company uses DNS techniques and proprietary ML-based methods to probe domains and discover APIs without needing to install anything on the customer’s environment.

No Code Automation – Operationalizing API Protection

Subbu highlighted a particularly helpful feature of Cequence’s platform: no-code automation. This allows organizations to generate automated workflows in response to detected malicious API activity.

Consider a scenario where an enterprise discovers that a hidden API, which has access to sensitive customer information, is under attack. The security team might want to page their operations team, put a hold on the API, block access from certain IP addresses, and carry out other tasks in response. With Cequence’s no-code automation feature, they can set up this entire workflow within the platform, saving valuable time and streamlining their response.

In conclusion, the conversation with Subbu of Cequence Security underscored the importance of a lifecycle approach to API security. Cequence’s innovative solutions, leveraging advanced technologies and unique features like AI and no-code automation, offer a comprehensive and effective approach to securing APIs. It’s clear that the company has carved a distinct place for itself in the API security space, and it will be interesting to see what new innovations they bring to the market in the future.

The post Automating the API Security Lifecycle – An Interview with Subbu Iyer of Cequence Security appeared first on Cybersecurity Insiders.

By Sudeep Padiyar, Senior Director, Product Management at Traceable AI

Preventing data loss has become incredibly challenging in an application programming interface (API)-driven world. Companies lockdown sensitive data internally with access controls, encryption, data classification and data loss prevention (DLP) platforms. They typically safeguard web applications with application security tooling or Web Application Firewalls (WAF). Cloud Security is often implemented with dedicated secure access service edge (SASE) architectures, including cloud access security brokers (CASBs).

However, sensitive data is transmitted freely across internal and external APIs, increasing the risk of accidental or malicious exposure of different sensitive data types. And hackers that exploit APIs don’t just steal sensitive data, they also gain access to systems, infrastructures, and other key surfaces, potentially causing massive operational downtime. Data loss at the API layer needs to be high on the list of priorities for security and privacy teams in addition to protecting sensitive data with SASE, CASB solutions and NextGen firewalls.

Leading analysts and research firms have sounded the alarm about growing data security risks via API. Gartner has predicted that APIs will be the top attack vector this year, and that by 2025, more than half of all data thefts from enterprise web applications will be due to unsecure APIs. The OWASP API Security Project ranks excessive data exposure as the third most important API security risk. And recent data breaches also serve to warn peers of these issues. A single API hack on T-Mobile resulted in the data exposure of 37 million customers. Meanwhile, a Twitter API hack resulted in the release of personal data for 235 million users. The cost to remediate these attacks will far outpace the investment it would have taken to secure these APIs from the start.

Protect the Business by Securing APIs

Most enterprises use thousands of APIs to share data with applications and partners, and provide a seamless user experience for their customers. A phenomenon known as API sprawl, makes it difficult to gain visibility and control over these connections, in addition, frequent updates create versioning and documentation issues that further complicate API security.

APIs are now the universal attack vector, and they’re also a uniform protection layer if secured properly. Enterprises that deploy API security platforms gain fit-for-purpose tools that bring holistic visibility, monitoring, management, and remediation tools to bear on securing APIs and reducing risks.

Only context-aware API security platforms can accurately inventory APIs and detect behavioral anomalies that outwit traditional security tools such as WAFs and traditional DLP platforms. As an example, a grad student’s efforts to scrape millions of Venmo users’ financial transactions appeared as normal API traffic. Similarly, Coinbase’s improper API validation process enabled users to make unlimited cryptocurrency trades between accounts without being detected.

API security solutions should provide discovery and security posture management, threat protection, and threat management, enabling organizations to minimize risks and maximize the value that APIs provide. Tracking sensitive data usage across authenticated and unauthenticated APIs, and ensuring compliance requirements are met, has become an important aspect for Infosec teams.

Specifically, these capabilities prevent sensitive data exfiltration by:

  • Discovering all APIs: Leading API security platforms automatically and continuously discover all APIs, building a living inventory of all internal, private, public, externally exposed, rogue, shadow, partner, and third-party APIs. They catalog every API and its associated data and sensitive data flows, even as an enterprise’s environment changes constantly.
  • Improving API security posture management: Building on visibility gains, a next-generation API security platform creates a security risk profile for every API. Teams can use these insights to determine which APIs are most vulnerable to attacks and abuse, so that they can remediate them first.These platforms further reduce risks by identifying API endpoints that handle sensitive data but lack appropriate authentication or zero-trust API access policies. Teams can use this information to prioritize which APIs need greater security controls to protect the enterprise systems and data from threats and abuse.
  • Real-time threat protection: With detailed and contextual knowledge, leading API security platforms are well-equipped to automatically detect and remediate API and business logic use attacks, as well as API abuse, fraud, and sensitive data exfiltration from production environments.These innovative platforms establish a baseline of normal and abnormal behavior, quickly detecting any anomalies that could pose a security risk, such as a flood of incoming API calls from a foreign internet protocol (IP) address. They also correlate suspected incidents across multiple dimensions, such as endpoint, network, and application and API behavior, providing security teams with a holistic view of how attacks are distributed, organized, and progress over time. By doing so, leading API security platforms can create a unique fingerprint for each user that can be used to improve anomaly detection and fraud ring clustering.
  • Data Loss Prevention:

Data loss prevention software and tools monitor and control endpoint activities, filter data streams at API layer, and monitor data in the cloud to protect data at rest, in motion, and in use. API DLP needs to provide reporting to meet compliance and auditing requirements and identify areas of weakness and anomalies for forensics and incident response. This means all sensitive data transfer at the API layer needs to be monitored on a continuous basis to detect excessive data exposure based on multiple attributes like volume of sensitive data, source of traffic – BOT, Residential proxies, Geo location, connection types, IP reputation, etc.

  • Enhancing threat management: Modern API security platforms provide a rich set of security and application flow analytics that enable teams to reveal potentially unknown API threats and visualize user behavior analytics to uncover fraud and abuse. These tools and data empower teams, from security operations professionals, to incident responders, threat hunters, and red and blue teams, to improve processes. These individuals gain insights they can use to optimize APIs and security behaviors to prevent data breaches, ransomware attacks, API abuse, and data exfiltration.

Start Securing APIs Today with a Best-in-Class Platform

The best time to begin securing APIs is today, before malicious individuals or groups gain control over these vital connections and use them to harm your business. Only modern API security platforms can provide holistic visibility and tools to monitor and mitigate these risks in real-time. These solutions enable you to discover all APIs, improve security posture management, protect against threats, protect your critical data, enhance threat management, and build a culture of continuous improvement.

It is vital for any business to continue fueling business growth by securely deploying and managing APIs with a fit-for-purpose API security platform, while protecting your business and customers from debilitating attacks and data theft.

The post Data Loss Prevention in an API-Driven World appeared first on Cybersecurity Insiders.

The RSA Conference 2023 witnessed a surge of interest in API security, with experts and industry leaders focusing on the increasing need to secure APIs and address vulnerabilities. As APIs continue to play a crucial role in connecting applications and data sources, especially in cloud environments, protecting them has become a top priority.

The Cloud Security Alliance (CSA) reported that “Insecure Interfaces and APIs” ranked second among the top threats to cloud computing, as cited in a recent survey of 700 security professionals. This marks a significant rise from its seventh-place position in a similar 2019 survey. The findings echo a report by Aimpoint Group, W2 Research, and CISO Connect, which revealed that 42% of 400 chief information security officers (CISOs) identified API security as their primary concern.

Several vendors showcased their API security solutions at the conference. Cequence Security, a leading company in the field, launched API Spyder, a cutting-edge tool that assesses the vulnerability of a customer’s APIs from an attacker’s viewpoint. The firm has experienced considerable growth in recent years, with many businesses investing heavily in API security following high-profile breaches at organizations like Peloton, Clubhouse, and John Deere.

Another participant, Noname Security, introduced version 3.0 of its API Security Platform, which offers a suite of features aimed at helping security teams manage APIs with the highest security standards. Meanwhile, Salt Security, a competitor in the space, highlighted its API Protection Platform’s new advanced threat detection capabilities and enhanced API discovery features. The company’s platform has gained recognition in the industry, earning it the coveted tech unicorn status after securing $140 million in Series D funding in February 2022.

Emerging startups like Traceable AI are also making waves in the sector, with the two-year-old company recently securing $60 million in Series B funding for its API security tracking solution. As the demand for robust API protection grows, investors are expected to show continued interest in API security startups.

The RSA Conference 2023 highlighted the industry’s mounting focus on API security as organizations strive to protect their applications and data from increasingly sophisticated cyber threats.

Notable API Security Vendors

In today’s digital landscape, APIs have become crucial components of modern applications, facilitating seamless integration and communication between various services. As a result, securing APIs has emerged as a critical aspect of ensuring data privacy and system stability. To help you navigate the API security space, we’ve compiled a list of notable API security vendors, each offering unique solutions to protect your organization’s APIs.

  1. Cequence Security
    Cequence Security offers an AI-powered Unified API Protection (UAP) solution, which helps organizations discover all APIs and ensure compliance with industry and government regulations while detecting and preventing automated attacks in real-time. Cequence Security’s approach to API security has garnered significant attention, including strategic investments from Hewlett Packard Enterprise and Prosperity7 Ventures. Website: https://www.cequence.ai/
  2. Noname Security
    Noname Security’s API Security Platform provides organizations with a comprehensive solution to protect their APIs. Its platform includes a range of features that help security teams manage APIs while ensuring top security. Version 3.0 of the platform brings added functionality to secure APIs effectively. Website: https://www.nonamesecurity.com/
  3. Salt Security
    Salt Security’s API Protection Platform leverages patented AI algorithms to provide advanced threat detection capabilities and improved API discovery. The platform focuses on delivering insights that distinguish API changes from API attacks, reducing false positives and accurately identifying true positives. Website: https://salt.security/
  4. Traceable AI
    Traceable AI is an emerging startup that offers an API security tracking solution. The company’s platform helps businesses monitor their API usage and detect potential security vulnerabilities, attracting significant investor interest, including $60 million in Series B funding. Website: https://traceable.ai/
  5. Akamai
    Akamai is a global content delivery network, cybersecurity, and cloud service company that provides API Gateway services. Their API Gateway secures, manages, and scales APIs with features like caching, logging, request/response transformation, and authentication. Website: https://www.akamai.com/
  6. Okta
    Okta is an identity and access management company that offers API Access Management, enabling organizations to securely manage access to APIs. Okta’s platform helps developers build secure, scalable, and user-friendly applications by providing centralized access control and management for APIs. Website: https://www.okta.com/
  7. 42Crunch
    42Crunch offers an API security platform focused on securing APIs throughout the entire API lifecycle. The platform provides features like auditing, compliance monitoring, and threat protection. It allows organizations to implement security measures during the development process and maintain security across their API ecosystem. Website: https://www.42crunch.com/
  8. Imperva
    Imperva is a cybersecurity company that provides API security solutions through its API Security product. Imperva’s solution secures APIs with features such as API discovery, threat protection, and compliance monitoring. The platform integrates with existing DevOps workflows and protects against various API attacks. Website: https://www.imperva.com/
  9. Data Theorem
    Data Theorem offers API security solutions that focus on protecting mobile, web, and API-based applications. The company’s API Discover and API Inspect products help organizations discover, analyze, and secure their APIs in real-time. Data Theorem’s platform is designed to identify and remediate potential security risks. Website: https://www.datatheorem.com/
  10. APIsec
    APIsec offers an innovative API security testing platform designed to identify vulnerabilities and ensure compliance with industry and government regulations. Their solution focuses on automating security testing, integrating seamlessly into the development process, and continuously monitoring APIs in production. With a robust range of features and advanced analytics, APIsec enables organizations to detect and prevent potential security breaches effectively. Learn more about APIsec’s unique approach to API security at https://www.apisec.ai/.
  11. Neosec
    Neosec is an API security provider specializing in discovering, securing, and monitoring APIs throughout their lifecycle. Their platform uses machine learning and artificial intelligence to analyze API traffic, identify vulnerabilities, and detect potential threats in real-time. Neosec’s solution emphasizes the importance of visibility and control, allowing security teams to manage and protect APIs with ease. To find out how Neosec is redefining API security, visit their website at https://www.neosec.ai/
  12. Wallarm
    Wallarm is a leading API security vendor that offers a comprehensive platform for protecting APIs from a wide range of threats. Their solution leverages machine learning and advanced algorithms to automatically detect vulnerabilities and secure API endpoints. With a focus on real-time monitoring, automated threat detection, and seamless integration into existing infrastructure, Wallarm enables organizations to strengthen their API security posture effectively. Discover more about Wallarm’s innovative approach to API protection at https://www.wallarm.com/.
  13. Apigee
    Apigee, a part of Google Cloud, is a well-established API management and security platform that helps organizations design, secure, and scale APIs. Apigee provides a range of tools and features to ensure secure API development, deployment, and monitoring. With robust security measures, including API authentication, access control, and threat protection, Apigee empowers businesses to build and maintain secure APIs in an ever-evolving digital landscape. Learn more about Apigee’s comprehensive API security offerings at https://cloud.google.com/apigee/.

In conclusion, the growing prominence of API security in the industry, as demonstrated by the recent announcements and developments at RSA 2023, highlights the urgent need for businesses to prioritize protecting their APIs. As cyber threats evolve and become more sophisticated, investing in robust API security solutions will be essential for organizations to safeguard their applications and sensitive data. By staying informed about the latest API security trends and leveraging the expertise of leading vendors in the space, businesses can proactively fortify their defenses and navigate the digital landscape with confidence.

The post API Security Takes Center Stage: Key Insights from RSA 2023 appeared first on Cybersecurity Insiders.

Richard Bird, Chief Security Officer, Traceable AI

This year will be the year that many business and security leaders will wake up to truly understand the scope of their API security issues.

For the past three years, organizations have prioritized flexibility and growth over security and navigating extremely challenging business conditions. They’ve aggregated large data sets and deployed more cloud services to digitize business models, products, and services. The key to making all of this work is truly APIs. When creating and deploying apps, DevOps teams use internal APIs to connect data sources and business processes, and external APIs to communicate with partners and customers. As a result, sensitive data, such as critical business information and consumers’ contact, financial, and health information, increasingly passes over APIs.

Unfortunately, organizations typically lack the ability to automatically discover, inventory, validate, manage, and secure their API inventory, which is increasing every week. In addition, teams may be using operational frameworks that don’t enforce standardization and governance, as their API holdings skyrocket. As a result, most organizations are unaware of the extent of the APIs they possess, and cyber-attackers and malicious actors are taking note. Hackers have identified APIs as the Achilles heel in organizations’ cybersecurity posture and are using them to steal data, commit fraud, and create havoc in the marketplace, among other aims. More than half of all data thefts were traced to unsecured APIs as of 2020, according to Gartner – and the problem is only getting worse.

Here are some API security predictions for 2023:

Prediction #1: There will be a major API security breach that forces faster regulatory action

Gartner predicts that by 2025, less than 50 percent of enterprise APIs will be managed, as explosive growth outpaces API management capabilities.

Already, API security incidents are soaring, and regulators are taking notice. An adversary used LinkedIn’s official API to scrape data on 90 percent of its users. A researcher used Venmo’s public API to access data on millions of payments. The zero-day, Log4Shell vulnerability, reported in December 2021, is still being exploited. Other API security incidents have ensured Coinbase, John Deere, Experian, Peloton, SolarWinds, and more.

While regulatory action typically lags behind advanced technology development, API security is increasing the scope and severity of security breaches. I predict that a major API security incident that disrupts mission-critical services, such as in the financial or public infrastructure verticals, will occur in 2023, forcing faster regulatory action across all verticals.

Prediction #2: Leaders will see APIs as representing both security and business risks

The need to protect business operations, customers, and data will be a key driver for organizations to implement API security platforms. This year, leaders will want to take a broader look at the problem of managing APIs.

That’s because the lack of control, security, and governance around APIs doesn’t just increase risks, it is also operationally inefficient.

DevOps teams are constantly developing and deploying APIs to connect applications and processes. That means there is a huge number of zombie APIs, which are APIs that are abandoned, but not yet removed from corporate systems. The lack of synchronized, standardized processes also is increasing process redundancy across API groups. As a result, organizations are spending more on development processes and application maintenance then they need to.

Prediction #3: Financial services will lead other verticals in addressing API security issues

Global regulators need to develop API-specific security regulations, rather than relying on data protection regulations such as HIPAA, GDPR, PCI, and others to govern these digital connections.

The good news is that financial services are poised to lead the charge for more regulatory oversight. Already, the Federal Financial Institutions Examination Council (FFIEC) members issued guidance governing securing authentication and access to financial institutions’ services and systems, including APIs.

In 2023, we expect that these regulators will increase their expectations around financial institutions’ API security. This heightened focus couldn’t come too soon. With their motherlode of rich customer data and transactions, banks, fintech companies, insurance companies, and other financial institutions represent a favorite attack target for hackers. In addition, the industry must develop a scalable approach to API security if it is to move forward with open banking. Open banking, which provides third parties with access to financial transaction data, is completely powered by APIs.

Financial services have led other industries in terms of adopting risk and security frameworks and tools to protect data and systems. It will do the same with API security, setting a standard for other verticals to follow.

Prediction #4: Organizations will right-size data storage to reduce risks

One of the reasons that API security risks are so dangerous is that organizations are collecting and storing too much data. While data storage used to be expensive, tumbling costs over the past decade have enabled organizations to collect petabytes of unstructured data, much of which isn’t used. Like APIs, organizations have a shadow data problem, with unknown, unmanaged data stores abounding.

As they harden API security, business, IT, and data teams should also rationalize their data holdings. Business is transforming so fast that most historical data hold little value. Organizations predict operational performance in terms of days and weeks now, rather than years. Far better, then, to purge unnecessary data than to risk storing it in an unmanaged database – and having it exfiltrated over an unsecured API.

Prediction #5: Enterprising CISOs will see API security as an opportunity to innovate

API security is a greenfield opportunity that leading CISOs will exploit to choose and implement the best frameworks, processes, and tools for their organizations. Those that move ahead proactively to implement solutions, such as platforms that enable automated AI discovery, cataloging, management, and real-time attack detection, will achieve significant improvements in security and risk mitigation.

They’ll also integrate API security testing into pre-production processes, enabling developers to scan and remediate APIs before they are deployed. By doing so, they’ll enable teams to use DevSecOps processes to develop and deploy applications at pace, without increasing their organizations’ attack surface.

These CISOs will help their organizations outperform competitors who rely on unsecured API gateways or the limited capabilities of web application firewalls. They’ll achieve this goal by enabling faster innovation, using connected processes to reap more value from customers, and sparing their organizations from disabling API security breaches.

Prediction #6: Leading with API security will differentiate organizations in the marketplace

The future of business is connected, meaning that future API growth is likely limitless. So, the question is not whether organizations will secure APIs, but when and how.

Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements. Furthermore, no organization wants to lose control over their business, customer data and precious intellectual property due to partners’ improper API security practices – or be on the receiving end of a cybersecurity attack for the same reason.

Since third-party APIs will represent 30 percent of all APIs used to connect organizations’ applications and data sources, leaders will think carefully about whom they want to do business with.

Because the API security industry is fast-transforming. There are myriad tools and platforms that CISOs and their teams can choose from, as well as lessons learned from lists of API security risks and retrospective analyses of breaches.

By learning more about API security and best practices, CISOs can lead to reducing these risks. They can implement effective governance, standardize and enforce processes, discover and control API holdings, and proactively remediate unsecured APIs before they are used in attacks.

APIs can unlock increased business potential and value for organizations – or remain a source of unmitigated risk that harms business momentum and revenues. That choice will become increasingly important in 2023.

About The Author:

RICHARD BIRD, CHIEF SECURITY OFFICER, TRACEABLE AI

Richard is a multi-time, c-level executive in both the corporate and start-up worlds, Richard is internationally recognized for his expert insights, work and views on cybersecurity, data privacy, digital consumer rights and next generation security topics. Richard delivers keynote presentations around the world and is a highly sought after speaker, particularly when he is translating cybersecurity and risk realities into business language and imperatives. He is a Senior Fellow with the CyberTheory Zero Trust Institute, a Forbes Tech council member and has been interviewed frequently by media outlets including the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News and TechRepublic.

The post Predictions for 2023 API Security appeared first on Cybersecurity Insiders.

By Yaron Azerual, Senior Security Solution Lead, Radware

The shift to hybrid working and digital transformation has accelerated the use of APIs. According to Radware’s 2022 State of API Security Survey, conducted with Enterprise Management Associates, 97% of organizations use APIs for communications between workloads and systems; 92% have significantly or somewhat increased API usage within the last year; and 59% already run most of their applications in the cloud – all of which underscores the critical role APIs play in enterprise computing.

The challenge is that API protection is not only failing to keep up with the increase in API usage, but many companies are working under a false set of assumptions and over confidence that they are adequately protected from cyberattacks ­– a risky combination. The reality is security teams need to rethink their approach to securing their APIs.

THE STATE OF API SECURITY

In our recent survey, 203 companies from across Europe, Asia, and North America paint a real-world picture of the state of API security in today’s organization. The results of the survey  reinforce the narrative that companies have a false sense of security in solutions that are inadequate and ineffective:

Undocumented APIs pose a substantial and underestimated threat.
While 92% of the organizations surveyed believe they have adequate API protection and 70% believe they have visibility into applications that process sensitive data, most (62%) admit that one-third or more of their APIs are undocumented.

Commentary: While the survey discovered that a fair portion of APIs are known and documented, there is a real (and underestimated) threat that comes from a large percentage of undocumented APIs. This is coupled with the fact that only some people believe that automatic API discovery and protection are necessities, and an even smaller portion is actually using a solution with auto-discovery capabilities. This is part of the false narrative that can lead to a major breach for many organizations: the belief that they have adequate security, but actually have significant gaps in their protection from APIs that are unknown and undocumented.

API attacks are largely undetected.
Half of companies surveyed viewed their existing tools as only somewhat or minimally effective at protecting their APIs, with 7% reporting that the solutions that did not identify any attacks at all.

Commentary: The inability of the existing tools to adequately protect APIs from common threats further adds to the false security narrative. The fact that respondents reported that the solutions they had in place did not identify any attacks (7.4%) is even more troubling.

Bot attacks remain a threat.
Nearly one-third of companies report that automated bot attacks are among the most common threats to APIs. In detecting an API attack, 29% say they rely on alerts from an API gateway and 21% rely on web application firewalls (WAFs).

Commentary: Organizations continue to base API security on the false assumption that API gateways and traditional WAFs offer sufficient protection, leaving their APIs vulnerable and exposed to common threats, like bot attacks. A comprehensive API protection solution addresses these threats, but few respondents indicate they have deployed such solutions. Bot protection and automated-attack protection should be a priority when evaluating solutions to protect APIs. 

BEWARE OF FALSE ASSUMPTIONS

There are many challenges involved in securing APIs – ­false assumptions are among them. Dispelling the myths and false beliefs while debunking the over confidence that most organizations have around API security is a great place to start in improving security posture.

Here are a few prevailing misassumptions further hampering API security and leaving APIs vulnerable and exposed to threats.

  1. “A WAF will protect our applications and their APIs.

While WAFs are a great solution for protecting against embedded attacks, they only cover a fraction of the attack vectors APIs are exposed to. APIs require specific capabilities, such as the ability to parse the content and compare it to the API’s specific schema – something standard WAFs usually don’t do.

Second, most WAF solutions (especially cloud WAF managed services) only deploy negative security models. This limits protection against zero-day attacks (unfamiliar attacks for which no signature yet exists). The OWASP API list of the top 10 threat vectors includes many types of attacks and malicious API calls that simply can’t be covered through a negative security model.  They require a positive security model and behavioral analysis to determine whether the API call is malicious or not – a feature most WAFs don’t offer.

Finally, there are automated threats, including malicious bots, that can pose a major problem for APIs. How can an API distinguish between a bad bot and a legitimate machine-to-machine call? Companies need advanced bot management solutions that can also analyze API calls to protect against account takeovers (ATO), data scraping, and other types of application DoS attacks. Currently, no WAF offers this functionality.

  1. “An API gateway will manage and protect our APIs.”

API gateways are designed to manage the lifecycle of APIs, like translating protocols and routing API calls to correct destinations. On the security side, API gateways authenticate the entity that makes the API call and ensure the entity has proper authorization to execute a specific call.

With more companies expecting API gateways to offer increased levels of security, some API gateway vendors have started integrating basic API protection capabilities (beyond authentication and authorization enforcement). Unfortunately, there is no API gateway solution to date that safeguards APIs with a positive security model engine, bot protection capabilities, behavioral analysis, and application denial-of-service (DoS) protection. Most API gateways include connections to third-party API protection solutions — a clear indication that API vendors understand their products’ limitations in protecting the very APIs they manage.

  1. “The APIs we are using are well-documented, enabling effective protection.”

A well-protected API is a well-documented API. To effectively protect an API, you need to intimately know the API structure, parameters, the type and range of values, and expected content of the API body. Combined with a good API protection solution, a well-documented API dramatically improves your security posture. However, in many organizations, there are numerous undocumented and unmanaged APIs that go unaddressed. And even if they are documented, APIs change more frequently than applications. As a result, their documentation and security policies need to be updated regularly.

Effective API protection must include automatic discovery of APIs. A good discovery engine can also automatically generate and apply a tailored security policy to match the discovered APIs. This is the best way to effectively protect an API throughout its lifecycle.

A Snapshot of Effective API Security

API security requires an in-depth understanding of a multitude of environments and platforms. An effective API security solution will:

  • Integrate with existing security and visibility tools.
  • Leverage advanced machine-learning algorithms to detect emerging threats and automatically create and optimize API security policies.
  • Enable accurate and automated API discovery, protection, and security policy generation without requiring application or security expertise.
  • Comprehensively protect all parts of the API across a broad range of threats, including access violations, data leakage, denial of service, automated threats (bots), and embedded attacks.
  • Protect against automated, bot-based threats.
  • Support positive and negative security models while enabling continuous and automatic security policy optimization and adjustments to correct and eliminate false positive events.
  1. “We’re covered by a dedicated API protection solution.

Good API protection that takes into account the above recommendations is a great start. But it isn’t enough to fully protect your application. APIs don’t exist by themselves. They are part of an application deployed on an infrastructure. Hackers who can’t penetrate the API will look for application vulnerabilities unrelated to the API. They might launch a bot attack, or they might simply launch a distributed denial-of-service (DDoS) attack.

The threat landscape for organizations has changed significantly over the past several years. It is simply not possible to identify and mitigate all security risks using traditional methods and tools. Instead, it’s important to take a holistic approach to application protection that covers all bases, including a strong WAF, bot management, threat intelligence, and DDoS protection. If you can manage these solutions from a single pane of glass and synchronize them, your applications and APIs will be effectively protected.

API security may not be making news headlines like ransomware and DDoS attacks yet. However, for most organizations, it has quickly become the most significant vulnerability surface — a threat that will remain as long as proper protection lags behind the growing risks.

# # #

Yaron Azerual, Senior Security Solution Lead at Radware, has more than 25 years of engineering, product management and product marketing experience, which is grounded in a deep understanding of the development of communication and security products and the market challenges they solve.

The post Dispelling the Myths and False Beliefs of API Security appeared first on Cybersecurity Insiders.

An application programming interface, or API, is a defined process that allows data to be shared between applications or programs. Each API consists of a set of rules that dictates how communication occurs between a client and a server or external program. The required request format, the authentication process, and the encryption of data all […]… Read More

The post What to Know about APIs, the “On-Ramps to the Digital World” appeared first on The State of Security.

There is a sight gag that has been used in a number of movies and TV comedies that involves an apartment building lobby. It shows how people who don’t live there, but who want to get in anyway, such as Girl Guides looking to sell cookies to the tenants – simply run their fingers down […]… Read More

The post A Problem Like API Security: How Attackers Hack Authentication appeared first on The State of Security.

[ This article was originally published here by Indusface.com ]

Thinking about all the high-profile cyber threats that businesses face today can make you feel overwhelmed. The most devastating security breach incidents that made headlines, show the incidence of API abuse. Take Venmo, Panera, Equifax, WikiLeaks, and Uber’s hacks for example. With these incidents, it is clear that cybercriminals are becoming smarter, and many businesses are not focusing much on API security.

As our API-related development increases, so does the cybercriminals’ desire to take advantage of it – driving new evolutions in API security threats.

“By using APIs, companies may inadvertently open up the door to all of their corporate data,”

                                    -Chris Haddad, chief architect at Karux LLC.

Source: Techtarget

So, how can you avoid becoming an API hack headline? The best way to leverage the power of APIs without confronting insider threats and external attacks is by following these API security best practices:

API Security Best Practices for Web Apps  

  1. Implement A Zero Trust Philosophy  

When it comes to “What is API Security?”, many people would highlight API authentication, but API security is more about API threat prevention. Zero Trust is a security policy centered on the principle that companies should not trust anyone by default and instead must verify everything trying to access their systems.

Zero-Trust ideology should be applied to even authorized API endpoints, authenticated clients, as well as unauthenticated and unauthorized entities.

Critical factors to consider while implementing a zero-trust policy on your API include API Protocol Support, API Deep Request Inspection, Cloud-native Deployment Method, API Discovery – Up to date API Inventory, and Data leakage prevention.

  1. Identify API Vulnerabilities and Associated Risks

It is dangerous to ignore API vulnerabilities and risks. Many API vulnerabilities and errors can be caught in the initial stage; hence, fixing them becomes easy and quick.

With thorough API security testing, discover which parts of your API are vulnerable to the known threats. Refer to the OWASP’s Top 10 API Security Vulnerabilities list to make sure the biggest vulnerability categories are mitigated. Also, identify all the data and systems that get affected if a vulnerability is exploited and create an appropriate recovery plan to reduce the risks to an acceptable level. Assess the API endpoints before any code changes to make sure any data handling requirements and security are not compromised.

  1. Enforce Strong Authentication and Authorization

Though authentication and authorization play different roles, when implemented together, these two API best practices work as a powerful tool for API security. Authentication is necessary for securely verifying the user of the API and authorization is concerned with what data they have access to. API authentication allows to restrict or remove users who abuse the API. API authorization usually starts after the identity is confirmed through authentication and verifies if users or applications have permission to access the API.

API authentication and authorization serve the following purposes:

  • To authenticate calls to the API to legitimate users only
  • To track the requesters
  • Tracking API usage
  • Enabling different levels of permissions for different users
  • Blocking the requester who exceeds the rate limit
  1. Expose Only Limited Data

When we think of web API security best practices, we often think of blocking out malicious activity. It can also be helpful to limit the accidental exposure of sensitive information. As APIs are a developer’s tools, they often include passwords, keys, and other secret information that reveal too many details about the API endpoints. Make sure APIs only expose as much data as is needed to fulfill their operation. Further, enforce data access controls and the principle of least privilege at the API level, track data, and conceal if the response exposes any confidential data.

  1. Implement Rate Limits

DDoS (Distributed Denial of Service) is the most common practice of attacking an API by overwhelming it with an unlimited API request. This attack affects the availability and performance of APIs.

Rate limiting, also known as API limiting is a process of enforcing a limit on how often an API is called (to ensure that an API remains available to legitimate requests). Beyond DDoS attack mitigation, it limits other abusive actions like aggressive polling, credential stuffing, and rapidly updating configurations. API rate limiting not only deals with fair usage of shared resources but also can be used to:

  • Implement different access levels on API– based services
  • Meter the API usage
  • Guarantee API performance
  • Ensure system availability
  1. Implement Web Application and API Protection (WAAP)

We recommend a Web Application and API Protection (WAAP) solution for business use cases where API calls are made from the web and mobile apps. These apps commonly have access to ample amounts of sensitive information and APIs in these channels are tough to defend. Common security tools like traditional firewall and API gateway are insufficient to prevent API attacks. WAAP solution is centered around four consolidated capabilities: DDoS protection, Web Application Firewall, Bot Management, and API protection.

Source: Indusface

It employs a fully managed and risk-based application security approach by monitoring traffic to detect abnormal activities and malicious traffic across all four-vectors. With the data collected across all the applications, it assesses risks and updates the mitigation strategies to enhance cyber defense in real-time. WAAPs also aid to reduce operational complexity by reducing the number of parameters that need to be managed, streamlining security rulesets, and automatically suggesting rules with its AI capabilities. While WAF protects against OWASP top 10 attacks and API gateway defends against standard attacks, AI-enabled behavioral analysis of WAAP ensures the defense against automated and more sophisticated attacks.

Conclusion

As APIs become a strategic necessity to offer your business the speed and agility needed to succeed, your ultimate goal should be defending them from evolving attacks. These API security best practices for web applications may not be a fool proof strategy in enhancing API security but can go a long way in making your API’s protection tough to penetrate.

The post Top 6 API Security Best Practices for 2022 appeared first on Cybersecurity Insiders.