Sunday, November 20, 2022

3 Top API Security Trends For 2023

 


As we lumber along into 2023 in a rather face clip, there is one thing that will remain for certain in the digital world:  The number of connected devices is only expected to grow at a much higher clip than ever before.  Consider some of these stats:

*By 20232, there will be an average of 4 connected device for every individual;

*By the end of next year, there will be 30 billion connected devices in total;

*The number of digital machines that will be interconnected will be at a whopping 15 billion.

But the common denominator connecting everything together is the software applications that reside underneath them.  For example, it makes no sense for an app to communicate from one device to connect to another, totally different device if there was no business reason behind it. 

But software apps are the thing of both now and the future.  Although this interconnectivity does bring its key set of advantages to the table, it does bring in its Cyber risks as well, as now the attack surface has greatly widened.

Because of this, many software development teams and the companies that they work for are now coming under the microscope more so than ever before, because much of the source code that was used to create the app was never fully tested. 

Or at best, only bits and pieces of it were, thus leaving many backdoors open for a malicious third party to enter into. 

In fact, if you take a quick peruse through some of the Cyber headlines that are available on the various online portals, you will find at least 2-3 stories in which insecure source code was the culprit of a security breach in happening. 

At fault here are the APIs that are used in the source code development process itself.  Let’s use an illustration here.  Suppose a client came to your team and asked that you develop a specialized web app for them.

If you were to create the source code from scratch, it would take many months to get the project completely built out.  By nature, software developers don’t like to waste time in the coding process, if possible, they would like to take shortcuts and reuse the same code in order to keep up with the schedule of delivery. 

So in this regard, the API is a widely used tool.  It is a software library, or module, that bridges the front end of the app (which is what the end user sees) and the backend (which is the database, which houses the data about the end user, for example, when they fill out the contact form.

The API is nothing but a bunch of code that can be modified in order to meet the strict needs of the software development team.  Some of these APIs are closed source, meaning you actually have to purchase the license in order to fully use them.  But a bulk of them are open source, which simply means that you can download them for free from a reputable vendor, such as that of Git Hub.

But the problem with these open-source APIs is that they are really never updated with the latest patches and upgrades.  In the rush to get things done, software developers go on blind trust that these APIs are indeed safe to use, without testing them first.  And, if there are any untested APIs in the project, this is yet another avenue for backdoors to be left open.

But this is not the only problem to be faced when using API’s.  The other issue is now coming up with the permissions that are being established with them.  For example, rather than having to keep modifying the level of permissions for every new software build that comes out, software developers are implementing super user privileges from the very first build itself, and letting it go at that. 

They take the blind assumption that these privileges will be modified over time, when and as needed.  But, when the second build does come around, many of these same developers forget to do this, thus leaving a huge security gap here. This is becoming a very serious here, as it is evident from these stats:

*According to the Salt Security State of API Security Report, 20% of all of the respondents some sort of security breach because of overprivileged APIs;

*On a monthly basis, there are at least 27 million malicious calls made to these APIs.

More details about this can be seen here at this link:

https://content.salt.security/state-api-report.html?utm_medium=banner&utm_source=web&utm_campaign=hellobar

So what can be done to help stop this abuse of over privileging APIs?  Here are some tips to communicate with your software development team, whether they are insourced our outsourced:

*Get them to think about security first:

As mentioned earlier in this blog, software developers are always under huge time constraints to get things done on time.  Get away from this line of thinking, and instead, give them the time that they need to develop a product that not only satisfies the needs of the client, but is also as secure as possible.  This means that the developers literally have to test each line of code, one by one, to make sure that it is secure.  Sounds like that this will take forever?  Not really. Today, there are automated tools which are available that can do this, and some of the top ones are available from Git Hub.

*Always test the code:

This is a no brainer of course.  But it’s not from the standpoint of security.  Every source code module must be tested independently in a sandboxed like environment to make sure that they are secure before they are joined with other modules.  This will help to prevent any failure in one module to cascade downward towards other source code modules.

*Get rid of adding super user privileges:

To nip the problem in the bid, just get rid of over privileging from the very beginning.  This will allow for your software development team to adopt the principles of the Zero Trust Framework right when the first lines of source code are created.  Remember, permissions can always be added later.  In fact, this is becoming a hot button topic of today, as many companies are now moving to the Cloud.  But because many SaaS apps are now both available in the internal and external environments, many organizations are now favoring to put them in the Hybrid cloud.  This is where the Zero Trust Framework would work quite well in.  In fact, Microsoft Azure even offers tools that you can use for the assigning of permissions, rights, and permissions for your newly deployed SaaS deployment.  Many of these tools make use of the MIM-PAM methodology when assigning permissions. 

My Thoughts On This:

It is important to keep in mind that Access Management and the role it plays in APIs are also going to become a hot trend in the 2023, and going well into the future.  Thus in this regard, it would be very prudent for your software development team to adopt the DevSecOps approach. 

This is where both the Operations Management and IT Security teams come together to work with the developers, in order to make sure that the app is being developed maintains a strong security posture after the project has been delivered to the client. 

And finally, this approach will also help to ensure that over privileging in any circumstance does not become a common practice. 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...