Page 163 - Cyber Defense eMagazine January 2023
P. 163
While APIs are the foundation of modern business, they also are creating new risks. The fast rate of API
adoption is outpacing organizations’ ability to create strong governance and security tools around this
layer. In addition, organizations are using APIs to connect to legacy applications that perform as expected
but lack the security of cloud-native services and architectures.
Recognizing these trends, OWASP has published a top-10 API security risk list, that includes issues such
as broken object-level authorization, broken user authorization, excessive data exposure, and more.
Gartner predicted that APIs will be the number-one attack vector in 2022. Breaches due to API security
risks have already snared Coinbase, Optus, Uber, and others.
Zero Trust Must Secure the API Layer
So, it’s clear that Zero Trust security models need to extend beyond the user and the device layer to
include the application, data, and integration layers. Organizations can do so by tackling the problem of
API security, and considering partners, vendors, customers, and other third parties in their Zero Trust
frameworks.
To manage, control, and secure APIs, IT and security teams need to be able to:
1. Discover and test APIs: Teams want to automatically discover APIs and sensitive data flows.
API security platforms that enable continuous discovery empower teams to track APIs as their
environments change and create an always-up-to-date inventory of all of their APIs. As a result,
it’s easy for teams to identify shadow and orphaned APIs, as well as any changes.
2. Evaluate API risk posture: Risk scoring has transformed security and also applies to APIs. API
security platforms provide a security risk score for every APIs. These risk scores consider runtime
details, such as sensitive data flows, API call maps, usage behavior, threat details and activity
levels, and other factors, to help teams focus on the areas of greatest risk. Teams are then able
to identify which APIs are most vulnerable to abuse, so that they can prioritize remediation and
take fast action to reduce threats.
3. Stop API attacks: API security platforms equip teams to detect and stop known and unknown
API, business logic abuse, and zero-day attacks, as well as API abuse, fraud, and sensitive data
exfiltration. Being able to identify where hackers have gained access to sensitive data enables IT
and security teams to rapidly shut down these attempts, limiting their harm.
4. Analyze APIs for threat hunting and research: Organizations can improve threat hunting by
using API security platforms to create an end-to-end path trace of all of their API calls and service
behavior. This information can be aggregated in an API data lake that security operations teams,
threat hunters, and forensic researchers can use to identify root causes, speed incident detection
and resolution, and improve processes. With these insights, organizations can reduce their API
attack surface over time.
There are myriad API security vendors that purport to offer these four capabilities, yet many struggle to
deliver across one or more of these areas. These platforms may be unable to prevent bot or DDoS
attacks, fail to detect changes in API behavior, lack the ability to analyze sensitive data flows, or have
Cyber Defense eMagazine – January 2023 Edition 163
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.