CISOs know technology change is constant and never-ending – just like taxes. In Benjamin Franklin’s famous saying, “Nothing is certain but death and taxes,” he overlooked this third truth. In fact, if you look back in history, technology began its evolution well before taxes. The wheel was invented around 4th millennium BC, whereas organized taxes didn’t show up until about a thousand years later.
Like taxes, technology change can cause FUD – fear, uncertainty, and doubt. CISOs realize that if they don’t keep up with technology advancements, they place the organization at risk. With the growth of APIs, the attack surface has expanded – and so has API attack traffic.
According to the latest Salt Labs State of API Security report, 95% of organizations have experienced an API security incident in the past 12 months. In addition, numerous companies have suffered public API incidents over the past year, including Facebook, Experian, Starbucks, and Peloton. Clearly, the current crop of application security techniques are not sufficient when it comes to protecting APIs from breaches.
To correct this situation, security leaders must take a close look at how they are currently thinking about API security. In our new and complimentary White Paper, Salt Security describes and analyzes the top misconceptions that we’ve found people often have about their API security. The paper answers questions, such as:
APIs need access to function, but the goal of zero trust is to restrict access. Zero trust breaks down when applied to APIs because they are designed to be consumed by the broader internet and a large customer base. Moreover, while many zero trust network access (ZTNA) offerings use 2FA to authenticate before allowing access, that technique doesn’t work for controlling direct API communication.
Even though some cloud providers offer tools like API management and API gateways, these point products don’t deliver the level of protection that enterprises need for APIs. With limited API security capabilities at the application and API layer, your APIs are underprotected if you only rely on cloud provider tools. Also, did you know? Because APIs are application logic, cloud customers hold the ultimate responsibility for protecting them within the shared responsibility model for security.
WAFs and API gateways were not designed to provide the visibility and security controls that are needed to protect APIs. WAFs and API gateways are simply unable to detect certain malicious behaviors, for example, when attackers bypass access controls or harvest keys and tokens. They also can’t detect many API-specific problems such as business logic abuse and authorization exploits.
Workload security solutions help provide infrastructure security to ensure you aren’t running workloads on a vulnerable software version. They can also block access to a workload from external users. However, they don’t provide API or application-level context, so cannot provide visibility into your APIs.
Be aware that shift-left support doesn’t mean that security will be baked into every API by your development groups. Developer testing tools, while valuable, can’t identify all vulnerabilities. There are many security issues that can’t be spotted as part of automated design, development, and build scans with common security analysis and testing tools – the APIs need to be exercised to spot business logic flaws.
Internal digitalization initiatives, mobile applications, and web-based services all contribute to the increased usage of APIs. The way companies could protect a handful of APIs in the past doesn’t work when you are rapidly building dozens or hundreds of APIs.
You never know. Maybe someday, taxes won’t be a certainty, but technology will certainly continue to evolve and progress.
Salt Security pioneered the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. If you’d like to learn how we can help you to secure your organization’s critical APIs, we invite you to a personalized demo of the award-winning Salt Security API Protection Platform.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.