As we lumber along into 2023 in a rather face clip, there is
one thing that will remain for certain in the digital world: The number of connected devices is only
expected to grow at a much higher clip than ever before. Consider some of these stats:
*By 20232, there will be an average of 4 connected device
for every individual;
*By the end of next year, there will be 30 billion connected
devices in total;
*The number of digital machines that will be interconnected
will be at a whopping 15 billion.
But the common denominator connecting everything together is
the software applications that reside underneath them. For example, it makes no sense for an app to
communicate from one device to connect to another, totally different device if
there was no business reason behind it.
But software apps are the thing of both now and the
future. Although this interconnectivity
does bring its key set of advantages to the table, it does bring in its Cyber
risks as well, as now the attack surface has greatly widened.
Because of this, many software development teams and the
companies that they work for are now coming under the microscope more so than
ever before, because much of the source code that was used to create the app
was never fully tested.
Or at best, only bits and pieces of it were, thus leaving
many backdoors open for a malicious third party to enter into.
In fact, if you take a quick peruse through some of the
Cyber headlines that are available on the various online portals, you will find
at least 2-3 stories in which insecure source code was the culprit of a
security breach in happening.
At fault here are the APIs that are used in the source code
development process itself. Let’s use an
illustration here. Suppose a client came
to your team and asked that you develop a specialized web app for them.
If you were to create the source code from scratch, it would
take many months to get the project completely built out. By nature, software developers don’t like to
waste time in the coding process, if possible, they would like to take
shortcuts and reuse the same code in order to keep up with the schedule of
delivery.
So in this regard, the API is a widely used tool. It is a software library, or module, that
bridges the front end of the app (which is what the end user sees) and the
backend (which is the database, which houses the data about the end user, for
example, when they fill out the contact form.
The API is nothing but a bunch of code that can be modified
in order to meet the strict needs of the software development team. Some of these APIs are closed source, meaning
you actually have to purchase the license in order to fully use them. But a bulk of them are open source, which
simply means that you can download them for free from a reputable vendor, such
as that of Git Hub.
But the problem with these open-source APIs is that they are
really never updated with the latest patches and upgrades. In the rush to get things done, software
developers go on blind trust that these APIs are indeed safe to use, without
testing them first. And, if there are
any untested APIs in the project, this is yet another avenue for backdoors to
be left open.
But this is not the only problem to be faced when using
API’s. The other issue is now coming up
with the permissions that are being established with them. For example, rather than having to keep
modifying the level of permissions for every new software build that comes out,
software developers are implementing super user privileges from the very first
build itself, and letting it go at that.
They take the blind assumption that these privileges will be
modified over time, when and as needed.
But, when the second build does come around, many of these same
developers forget to do this, thus leaving a huge security gap here. This is
becoming a very serious here, as it is evident from these stats:
*According to the Salt Security State of API Security Report,
20% of all of the respondents some sort of security breach because of overprivileged
APIs;
*On a monthly basis, there are at least 27 million malicious
calls made to these APIs.
More details about this can be seen here at this link:
So what can be done to help stop this abuse of over
privileging APIs? Here are some tips to
communicate with your software development team, whether they are insourced our
outsourced:
*Get them to think about security first:
As mentioned earlier in this blog, software developers are
always under huge time constraints to get things done on time. Get away from this line of thinking, and
instead, give them the time that they need to develop a product that not only
satisfies the needs of the client, but is also as secure as possible. This means that the developers literally have
to test each line of code, one by one, to make sure that it is secure. Sounds like that this will take forever? Not really. Today, there are automated tools
which are available that can do this, and some of the top ones are available
from Git Hub.
*Always test the code:
This is a no brainer of course. But it’s not from the standpoint of
security. Every source code module must
be tested independently in a sandboxed like environment to make sure that they
are secure before they are joined with other modules. This will help to prevent any failure in one
module to cascade downward towards other source code modules.
*Get rid of adding super user privileges:
To nip the problem in the bid, just get rid of over
privileging from the very beginning.
This will allow for your software development team to adopt the
principles of the Zero Trust Framework right when the first lines of source
code are created. Remember, permissions
can always be added later. In fact, this
is becoming a hot button topic of today, as many companies are now moving to
the Cloud. But because many SaaS apps
are now both available in the internal and external environments, many
organizations are now favoring to put them in the Hybrid cloud. This is where the Zero Trust Framework would
work quite well in. In fact, Microsoft
Azure even offers tools that you can use for the assigning of permissions,
rights, and permissions for your newly deployed SaaS deployment. Many of these tools make use of the MIM-PAM
methodology when assigning permissions.
My Thoughts On This:
It is important to keep in mind that Access Management and
the role it plays in APIs are also going to become a hot trend in the 2023, and
going well into the future. Thus in this
regard, it would be very prudent for your software development team to adopt
the DevSecOps approach.
This is where both the Operations Management and IT Security
teams come together to work with the developers, in order to make sure that the
app is being developed maintains a strong security posture after the project
has been delivered to the client.
And finally, this approach will also help to ensure that
over privileging in any circumstance does not become a common practice.
No comments:
Post a Comment