The API Security Newsletter - Issue #9
Organizations are consistently failing to secure APIs, with 95% of organizations suffering an API security incident in the last 12 months, and 34% admitting they lack any kind of API security strategy — despite running APIs in production.
One of the most alarming findings of the study was that there is a gap between the level of API documentation and the level of protection that orgs believe they have. For instance, while 92% of those surveyed believe they have adequate protection for their APIs, 62% admit one-third or more APIs are undocumented. This indicates that most organizations are in denial about their true API security posture, choosing to overlook the lack of transparency over a significant number of undocumented APIs.
In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.
Learn how to protect your APIs from these attacks from these three big security risks.
An API is more than the connective tissue that enables applications and databases to seamlessly work together. It is also a pathway for hackers to access an organization’s applications and sensitive data, often out of sight and undetectable.
No one can ever perfectly eliminate vulnerabilities from code. And wherever organizations are in their API security journey, they always have a substantial number of APIs already in production. Runtime protection with a dedicated API security solution will keep data and services protected even if developers missed a vulnerability or business logic gap.
API security has also become a growing concern for all industries. The most severe and devastating API attacks include API injection attacks targeted toward an application based on awfully developed code. In API injection attacks, hackers inject malicious code into software and gain control of an application. Another attack linked with APIs is Distributed Denial of Services Attack (DDoS), in which multiple computer systems swamp the bandwidth of the web application.
An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks.
Third-party exposures can create huge disruptions in this above workflow. This could take the form of insecure libraries, underlying cloud vulnerabilities or API vulnerabilities, says Dooley. “Customers will embed APIs in the software stack—to them, it’s a black box.”
Most of the guidance is "recommended" except in areas of API security.
The new API guidelines provide agencies context for API standards, focused design and implementation guidance, and API best practices aimed to help agencies achieve a consistent and common approach to their development and delivery.
Organizations are achieving new levels of connectivity, productivity and agility through the use of APIs. They use APIs to connect internal applications, accelerate processes with their business partners and even deliver data services to the public. But a small fraction of organizations are able to keep tabs on the thousands, if not tens of thousands of APIs making data calls within their digital ecosystem. Even fewer are fully prepared to protect against runtime API threats. And the fact is, misconfigured and hacked APIs are behind some major data breaches.
Noname Security has updated its platform for securing application programming interfaces (APIs) to make it possible to discover them in seconds and then automatically remediate vulnerabilities when discovered.In addition, Noname API Security Platform 3.0 added a revamped user interface to make it easier to drill down into, customize and export views along with a set of APIs that makes the security platform programmable within the context of a larger DevSecOps workflow.
API (security) related videos
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure?
APIs are a leading attack vector that often get pushed into production without proper security testing. In this presentation we will provide an overview of the OWASP API Security Top 10 vulnerabilities from an adversarial perspective. Then we will discuss how vulnerability management programs often use the wrong tools to test APIs and how to build an effective API security stack.
In this presentation, Alissa demystifies her tactics and techniques in hacking financial services and FinTech apps and APIs, which resulted in the breach of 55 banks and cryptocurrency exchanges.
One more thing...
The always wonderful Professor Hannah Fry has done two seasons of the DeepMind podcast so far, the podcast series uncovers the extraordinary ways artificial intelligence (AI) is transforming our world, and is highly recommended.
Recorded over six months and featuring over 30 original interviews, including DeepMind co-founders Demis Hassabis and Shane Legg, the podcast gives listeners exclusive access to the brilliant people building the technology of the future. Throughout nine original episodes, Hannah discovers how DeepMind is using AI to advance science in critical areas, like solving a 50-year-old grand challenge in biology and developing nuclear fusion.
Listeners hear stories of teaching robots to walk at home during lockdown, as well as using AI to forecast weather, help people regain their voices, and enhance game strategies with Liverpool Football Club. Hannah also takes an in-depth look at the challenges and potential of building artificial general intelligence (AGI) and explores what it takes to ensure AI is built to benefit society.
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).