I’m going to start off this post by pointing out the obvious just to get it out of the way: our way of life has changed permanently.
With much of the outside world off-limits at the moment, we’ve become dependent upon the online world more than ever. But thanks to various digital platforms, I’m able to stay connected with friends and family, keep things moving with my team at work, do a bit of shopping, and manage all my financials. Things I wouldn’t think twice about doing in person, like running by the bank or picking up a few things at the market, are now exclusively done online. The big change here is that we are all quickly having to get comfortable with this digital transformation.
In light of this accelerated transformation, digital platforms are now a more critical part of our lives and I’m thankful for the companies that continue to provide these services. Had we seen a similar situation 15 or 20 years back I wonder how we would have managed.
In my calls with CISOs and companies around the globe, I see many are rapidly shifting to enable remote workforces and subsequently tackling the new challenges that come with securing that transition. The other challenge I see on their priority list is security for the digital platforms that have become even more critical to their business as it is their main way to connect with customers and primary source of revenue today.
These digital platforms are not only the focus of consumers; we’ve also seen increasing focus from security researchers and bad actors, making security for these platforms more imperative than ever. With every consumer shifting to digital platforms, the volume of sensitive data and surface area for attack has expanded.
At the core of these digital platforms are APIs which, in recent years, have been used to fuel the explosion of applications and have enabled rapid innovation. Unlike traditional applications, API-based applications have their own set of unique security challenges, so much so, that OWASP came out with a Top 10 focused solely on API security.
Here are some of the questions that I’m getting from CISOs when I talk to them about securing APIs and protecting their critical digital platforms:
Most CISOs I talk to know of their primary APIs, but also know that there may be many more unknown APIs in their environment that are exposed publicly, found in development environments or are used to connect with partners. Beyond that, few CISOs think they really know what sensitive information (e.g. PII and IP) is being exposed through these APIs—this in itself presents unknown risk. Add to that the rapid rate of change as many development teams are adding functionality to keep up with demand and match functionality found in the real world, and this is seen as a moving target for security.
Many know that their current security solutions don’t provide enough protection for APIs. These solutions depend on signatures and are architecturally built to look for known attack patterns. Since the digital platforms and APIs each customer builds are composed of unique functionality and logic, known attack patterns aren’t useful to stop attacks targeting their unique vulnerabilities. These solutions were not built for the types of API attacks that we’re seeing today.
This has always been a challenge and with attacks on the rise and scrutiny from researchers increasing, efficient elimination of vulnerabilities is needed to protect customers and brands. I see a strong desire to improve workflows between security and development teams who can work together to quickly identify, prioritize, and eliminate vulnerabilities. Since blocking attacks can be a bit like whack-a-mole, CISOs see eliminating vulnerabilities as giving them the needed edge against attackers and bad press.
These are just some of the common questions that I get as I continue to talk to CISOs across the globe. They know that now, more than ever, their role of securing these platforms is not only essential to the future of their business, but also essential in their customers’ lives. I’m encouraged by how, in this time of adversity, I’ve seen so many come together to learn, share, and help others. I aim to do my part by sharing my insights. At Salt Security, our mission has always been to make it safe for companies to innovate. These days, I see how important this mission is to so many people.
To you and your families, friends, and employees, stay safe and healthy. Our way of life has changed, but together we will get through this, and in the end we will be stronger from what we have learned and the platforms that we have built.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.