See how Sydney Airport meets the Essential Eight with Rubrik ransomware defence
Improving Essential Eight compliance is also important for wider regulatory compliance
3 min read
In an API-first world, regular API security is not enough to keep up with persistent threats
From smartphone apps to e-commerce sites and financial services transactions, APIs serve as the connective tissue that powers the digital economy.
Billions of API calls are made daily with transactional data containing valuable and sensitive information, but how well are organisations protecting their data against API-driven threats?
In this blog, we will examine why trying to secure APIs is not enough to keep up with the modern API threat landscape.
APIs: A fast-growing attack vector
As with any system containing sensitive data, cybercriminals have noticed and adjusted their attack campaigns towards exploiting APIs.
As organisations face these new security threats at an unprecedented scale and impact, the question for IT leaders is how to ensure that their sensitive data is protected and future-proofed.
APIs are inherently difficult to defend because today’s API applications are more distributed, consist of multiple points of entry, and constantly change.
To find out more, Secure Agility recently hosted Muzaffer Pasha from Cequence Security, a pioneer of unified API protection solutions.
“API security is a very different beast than traditional enterprise security,” Pasha said. “APIs provide unrestricted global access in order to power applications. Because anyone in the world can reach an API Endpoint, an attack can be from anywhere.”
Applications that were built on monolithic architectures are being ported to the cloud as applications built on microservices and API endpoints. This means a typical app, like a banking app, might have five, six or even more API endpoints when previously there were none.
Monolithic applications were more or less static, whereas today’s APIs are constantly changing. If an API sits in the app security perimeter and is not secured, attackers can gain access.
“APIs are everywhere in our daily lives, from smartphone apps, Google maps to even critical oil and gass control sytems” Pasha said.
“APIs have a standard interface that makes it easy for cybercriminals to research published APIs and probe what works and what doesn’t in order to exploit an API application.”
Start by asking the tough questions.
Better API management now relates to future-proofing the business as so much of tomorrow’s business will depend on APIs.
According to Charlie Tannous, Director for Technology at Secure Agility, for IT and security leaders, this means asking the big questions about where the organisation’s API management capability lies. These include:
• How are APIs used across the business?
• Do your existing security services help discover and protect your APIs?
• What does it mean if you are not protected?
• What does your current API security landscape look like?
• How do you stay ahead of the curb with APIs?
“CISOs might not understand the mechanics, but they understand the need, and there is a need for a holistic solution, not a band-aid approach,” Tannous said.
“Awareness is building quickly in the US as organisations become compromised in a very untraditional way. In fact, an API-driven exploit can be easier than a traditional attack as there is less human intervention involved. In the case of phishing, attackers need to send an email.”
Security leaders need to understand a potential security ‘blind spot’ they might not know about. This includes what sensitive data APIs are accessing, such as customer information or vertical industry data, such as healthcare records.
The need for API lifecycle management
Pasha said, “API protection goes far beyond existing API security vendors on the market that only look at blocking attacks but insteads adopts a security approach that understands the entire API lifecyle and pinpoints where threats can exist and be potentially exploited. There is a continuous API lifecycle, as APIs are created, used and retired.”
Cequence Unified API protection (UAP) understands the API lifecycle, including how APIs are developed, deployed, and attacked. This ensures APIs are continuously protected against the latest API cyber-threats that seek to exploit mission-critical services.
APIs should conform to an OpenAPI specification and security and governance best practices , that act as security guardrails, ensuring that APIs are not pushed into production and expose sensitive data such as health records.
UAP not only helps to discover all of your APIs but also surfaces critical security issues that matter by comparing each of your APIs against an OpenAPI specification and security best practices.
Organisations can also get a prioritised list of APIs ranked by risk level and the risk they pose to the organisation. Furthermore, Cequence UAP can provide real-time detection and prevention against API attacks as they target an application.
To learn more about API security – contact us now.
Looking for managed services for information technology? We’re here to help.
“API protection is a very different beast than traditional security. Universal access to an API, means an attack can be from anywhere in the world,”
Muzaffer Pasha, Cequence Security
Information Security in changing times: Can you deliver Essential 8 compliance out of the box?
You need someone to go with you on the Essential 8 journey, so clearly articulate your risk appetite and what you are willing to accept
