Protecting APIs from the expanding attack surface

46
Protecting APIs

Security leaders say that when a Web application is deployed, the organization exposes APIs to the internet; but APIs are required to access vital information

Cybersecurity attack surface has gradually expanded and evolved as more organizations transfer the business-critical applications to cloud platforms. Initially, enterprises focused on managing a clearly defined network perimeter, but they are dealing with multiple public clouds in the current scenario.

These are in addition to the private data center applications and footprint. As a result, the changed attack surface is very different from the conventional ones that organizations and CIOs were previously used to.

Enterprises also need updated Web Application and API protection (WAAP) solutions to secure the corporate network from the becoming a part of an attack surface.

Even though APIs are robust tools utilized to provide critical line-of-business features, they also increase the attack surface substantially. It complicates security profiles, and a conventional WAF solution that protects organizations from typical OWASP attacks is deemed insufficient.

CIOs say that APIs need to be protected, in view of the updated web applications currently in use. These applications send HTML content to the browser for display; potentially exposing the APIs to the end-users.

Read More: Cloud Security Risks – Global Concern amid COVID-19

APIs are critical for web operations since they help clients serve a rich application experience to the users. The clients could range from web browsers, B2B communication, or a mobile application, in many cases the data doesn’t even need to be displayed to humans.

Thus, CIOs suggest deploying modern Web Application and API Protection (WAAP) solutions capable of protecting the organization from all attack campaigns.

API protection in the cloud security strategy

Generally, API security concerns can be handled within the application as well. It is possible to deploy control measures within the applications that can prevent some risk level due to exposing APIs to nefarious actors.

Such measures include implementing rate limits, valid inputs, and restricting access to the API by utilizing API keys or some other form of tools. Many of these solutions are found in the commercial off the shelf (COTS) and open-source web applications.

Organizations may already be using these applications to build blocks to create, deploy, and maintain the new web applications required to satisfy the business needs.

CIOs acknowledge that this might not be the best area to deploy such controls. Dependency on application developers and applications to provide their own security is risky for the organization.

Read More: Can AI help extend the existing security investments to tackle new liabilities?

Developers are technically evaluated based on uptime, feature delivery and other relevant metrics. Security should be ideally on the list, but in practice, making security the top skill consistently is difficult.

It is even more challenging when the DevOps team doesn’t possess extensive cybersecurity personnel or skills. CIOs say even the development team focuses on application security. Multiple application departments deploying individual approaches in application security leave the security teams confused.

Lack of proper visibility of the security events across the web applications board exposes the network and organization to unnecessary and damaging risks.