Page 163 - Cyber Defense eMagazine January 2023
P. 163

While APIs are the foundation of modern business, they also are creating new risks. The fast rate of API
            adoption is outpacing organizations’ ability to create strong governance and security tools around this
            layer. In addition, organizations are using APIs to connect to legacy applications that perform as expected
            but lack the security of cloud-native services and architectures.

            Recognizing these trends, OWASP has published a top-10 API security risk list, that includes issues such
            as broken object-level authorization, broken user authorization, excessive data exposure, and more.

            Gartner predicted that APIs will be the number-one attack vector in 2022. Breaches due to API security
            risks have already snared Coinbase, Optus, Uber, and others.


            Zero Trust Must Secure the API Layer

            So, it’s clear that Zero Trust security models need to extend beyond the user and the device layer to
            include the application, data, and integration layers. Organizations can do so by tackling the problem of
            API security, and considering partners, vendors, customers, and other third parties in their Zero Trust
            frameworks.
            To manage, control, and secure APIs, IT and security teams need to be able to:

               1.  Discover and test APIs: Teams want to automatically discover APIs and sensitive data flows.
                   API security platforms that enable continuous discovery empower teams to track APIs as their
                   environments change and create an always-up-to-date inventory of all of their APIs. As a result,
                   it’s  easy  for  teams  to  identify  shadow  and  orphaned  APIs,  as  well  as  any  changes.


               2.  Evaluate API risk posture: Risk scoring has transformed security and also applies to APIs. API
                   security platforms provide a security risk score for every APIs. These risk scores consider runtime
                   details, such as sensitive data flows, API call maps, usage behavior, threat details and activity
                   levels, and other factors, to help teams focus on the areas of greatest risk. Teams are then able
                   to identify which APIs are most vulnerable to abuse, so that they can prioritize remediation and
                   take fast action to reduce threats.


               3.  Stop API attacks: API security platforms equip teams to detect and stop known and unknown
                   API, business logic abuse, and zero-day attacks, as well as API abuse, fraud, and sensitive data
                   exfiltration. Being able to identify where hackers have gained access to sensitive data enables IT
                   and  security  teams  to  rapidly  shut  down  these  attempts,  limiting  their  harm.

               4.  Analyze APIs for threat hunting and research: Organizations can improve threat hunting by
                   using API security platforms to create an end-to-end path trace of all of their API calls and service
                   behavior. This information can be aggregated in an API data lake that security operations teams,
                   threat hunters, and forensic researchers can use to identify root causes, speed incident detection
                   and resolution, and improve processes. With these insights, organizations can reduce their API
                   attack surface over time.

            There are myriad API security vendors that purport to offer these four capabilities, yet many struggle to
            deliver across one or more of these areas. These platforms may be unable to prevent bot or DDoS
            attacks, fail to detect changes in API behavior, lack the ability to analyze sensitive data flows, or have




            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       163
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   158   159   160   161   162   163   164   165   166   167   168