Phishing, misconfigurations and lacking patches are high issues amongst safety leaders, however additionally they say their organizations are letting observability instruments collect rust.
Content material supply, safety and cloud providers firm Akamai, in partnership with U.S. cybersecurity coaching firm SANS Institute, launched on Tuesday the outcomes of a brand new examine analyzing essentially the most worrisome safety dangers associated to APIs. The 2023 SANS Survey on API Safety discovered that the highest danger is phishing assaults.
As well as, the 2023 world survey, which polled 231 utility safety professionals, discovered that fewer than 50% of respondents have API safety testing instruments in place and solely 29% have API discovery instruments. It additionally discovered that solely 29% of respondents use the API safety controls which might be already included in DDoS and cargo balancing providers.
Bounce to:
High six API safety dangers
When requested what they perceived as the highest API safety danger, respondents most frequently mentioned:
- Phishing to acquire reusable credentials (38.3%).
- Attackers exploiting lacking patches (24%).
- Attackers exploiting weak functions/APIs (12%).
- Misconfiguration of servers/providers by system directors (12%)
- Unintentional disclosure of delicate/lined info by customers (9.1%).
- Denial of service (2.3%) (Determine A).
Determine A
API proliferation makes safety challenges extra advanced
Akamai reported earlier this yr that 2022 broke data for utility and utility programming interface assaults. A part of the issue is the sheer variety of APIs in use by organizations, which is a matter that matches properly into the “you don’t know what you don’t know” danger bucket.
John Pescatore, director of rising safety developments at SANS and writer of the 2023 examine, identified that the proliferation of APIs is emblematic of how complexity is the enemy of safety. He additionally defined how the very nature of distributed functions will increase the menace floor for attackers and the chance of vulnerabilities being a part of manufacturing code.
Within the new examine, Akamai cites a report by 451 Analysis that states the common enterprise has greater than 15,000 APIs in use. To provide a way of the amount of assaults, Akamai earlier this yr reported that on someday, Oct. 8, 2022, there have been 161 million API assaults worldwide.
SEE: The C-suite considers API safety a high concern (TechRepublic)
In keeping with the report, the survey’s respondents mentioned they deliberate to shut API safety gaps sooner or later with:
- Internet safety gateways (14%).
- API safety features in content material supply community/load balancing (13%).
- Internet utility firewalls (13%).
- Dynamic utility safety testing (13%) (Determine B).
Determine B
Zero-day dangers getting an excessive amount of credence, misconfiguration not sufficient
The Akamai examine means that respondents are giving too little weight to the danger of misconfigured functions and an excessive amount of to zero-day dangers, in accordance with Rupesh Chokshi, normal supervisor of utility safety at Akamai.
“A company’s API safety plan ought to embrace constructing safe APIs and configuring functions accurately. On the identical time, organizations ought to perceive zero-day dangers, corresponding to how APIs change into weak and liable to exploitation. The excellence is vital as a result of it reveals that sturdy API safety wants to present vital weight to each side of the API lifecycle; in any other case, vulnerabilities will likely be missed,” mentioned Chokshi.
Closing the door to utility layer misconfigurations
Ory Segal, chief expertise officer of Palo Alto Networks Prisma Cloud, concurred that misconfiguration in trendy, cloud-native functions poses a considerable danger that’s often underplayed by organizations.
“Sadly, many focus their consideration in direction of zero-day dangers and recognized vulnerabilities in open supply software program packages (i.e., frequent vulnerabilities and exposures). Nevertheless, statistics and actuality present that attackers usually tend to exploit utility layer misconfigurations, exposing organizations to vital danger and potential information breaches — simply take a look at the variety of latest breaches involving publicly open cloud storage buckets.”
Amongst Segal’s suggestions:
- For expediting configuration administration, infrastructure as code scanning can present consistency in configuration and cut back human error.
- Bettering API observability is crucial. This may be achieved by implementing sturdy logging and monitoring.
- Detailed logs, together with API calls, response instances and error messages, can provide invaluable insights into the efficiency and safety of APIs.
- Automated anomaly detection can help in figuring out uncommon actions indicative of a possible assault.
- For extra complete API safety, adopting the precept of least privilege is really helpful, permitting every consumer solely the minimal ranges of entry essential to carry out their duties.
- Common audits and automatic testing for frequent safety points, corresponding to injection-based assaults, may also help guarantee the continued safety of APIs.
Correct API hygiene: Inventories, patches, menace evaluation
Pescatore wrote that a company’s API safety plan ought to embody:
- Stock of APIs in use and processes that use these APIs.
- Vulnerability evaluation of APIs in use.
- Risk evaluation of energetic assaults exploiting these vulnerabilities.
- Threat-based mitigation of important API vulnerabilities.
Sixty-two p.c of respondents to the survey mentioned they use internet utility firewalls as a part of API danger mitigation, and 79% of survey takers reported coaching improvement workers on utility safety. Additionally, 57% of respondents reported API stock accuracy of between 25% and 75%.
SEE: Gigamon report shines mild on deep observability (TechRepublic)
“Safety hygiene controls like sturdy authentication, asset stock, vulnerability administration and alter management want to deal with API safety points,” Pescatore wrote. “Prevention and detection must be upgraded to cope with API-centric assaults, and infrastructure providers (corresponding to content material supply networks and denial of service filtering) must be put to work as properly.”
