Salt Security Co-founder and CEO Roey Eliyahu and TAG Cyber Founder and CEO Ed Amoroso, recently sat down together for a joint webinar on API security and zero trust. When you have industry experts discussing two of the hottest topics in cybersecurity, it’s bound to be informative – and this time proved no exception.
In the 90s and early 2000s, organizations relied on perimeter protections, leveraging authentication to facilitate unencumbered user access within the perimeter. With the rise of hybrid environments and the growth of the cloud, these types of protections became obsolete – leading to the rise of the ‘zero-trust’ architecture.
Ed defines ‘zero trust’ as a condition that occurs when a perimeter is absolved – which covers almost everything within today’s hybrid architectures. Because resources can now be accessed from almost any point, you can’t draw a perimeter. Zero trust advocates building ‘trusted’ environments to host applications, systems, and data that operate with the least privileged access.
The vast majority of organizations are looking to adopt some form of zero trust – a fact that we easily validated during a quick webinar survey with the following question:
Put another way, just 1% responded that they gave zero trust absolutely no consideration in their architecture! Given the enormous influence that zero trust has on security plans, organizations must also understand its weaknesses in regards to API security.
Many API risks can’t be mitigated by zero trust. Because APIs require access to function, zero trust methods break down in API security. Below are three examples, discussed by Roey and Ed, illustrating how zero trust methodologies fall short in protecting APIs:
With increasing digital transformation initiatives, API usage has exploded. APIs have been specifically designed to share data and services across applications. The majority of data flowing in and out of our organizations runs on APIs. In fact, as cited by Roey in the webinar, 83% of Internet traffic is API traffic!
Because APIs enable all of your applications, APIs are critical to deliver the business value. APIs used in online ecommerce apps let you buy the goods being sold. Fintech APIs allow you to transfer funds in and out as desired from your banking account. In order to run a digital business, organizations cannot shut out these APIs – or they would have no business to run.
Because APIs are being developed and deployed so quickly, as well as being changed so frequently, it’s impossible to manually track all of them.
In our Q3 State of API Security report, we found that ‘shadow’ or unknown APIs, and ‘zombie’ or outdated APIs, present a huge concern for organizations. 42% of organizations say their biggest API security worry is outdated APIs. In fact, outdated APIs have been named as the number one API security concern over the past four surveys conducted by Salt Security.
These unknown and unsecured APIs may be being exposed, and organizations wouldn’t even know! Whatever security practice you adopt, if you don’t know an asset exists, you can’t apply the security!
Many API security incidents occur by using the API as it was designed. For example, attackers can use social engineering techniques to obtain an authorized user’s keys or credentials to enable exploitation. In this case, it doesn’t matter that every user has been authenticated by zero trust.
The recent Twitter API key and Peloton incidents provide examples of abusing an API as designed for data exfiltration and unauthorized access. A legitimate usage of an API can allow attackers to gain access to restricted data, as explained in the OWASP API3: Excessive Data Exposure.
According to Roey and Ed, there can be a lot of confusion between API security and zero trust. The reality is that – even with a good zero trust strategy – some API security risks can’t be mitigated by zero trust. You can listen to Roey’s and Ed’s webinar in its entirety here.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.