The API Security Newsletter - Issue 24
Hi Everyone! Welcome to this 24th edition of The API Security Newsletter, as always I welcome any feedback via Twitter DM (https://twitter.com/filipv)
4 cloud API security best practices
API use and capabilities have grown significantly over the past decade to improve application development; interaction with services and app features; and integration with applications, services and components of all types. Nowhere is this truer than in the cloud, where API availability and use are the norm rather than the exception.
APIs have also become a major target for attackers, however, due to exposure, a variety of vulnerabilities and configuration issues, and the fact that some APIs are inherently less secure than others.
Preventing Data Breaches In 2023: Why API Security Is Critical
If data breaches can be devastating for companies, regardless of their size, imagine how the impact is on those individuals whose personal information was exposed. I checked Thesaurus.com and couldn’t find anything five times worse than the word “devastating.” It’s impossible to imagine how it feels unless you’ve gone through it yourself.
This is why businesses need to be relentless when it comes to protecting customer data. Of course, it's easier said than done with the global economy on the brink of recession and inflation. However, this backdrop further justifies the reason companies need to take cybersecurity seriously.
Financial Services Firms: Address FFIEC’s Stringent API Security Regulations with Noname Security
Financial services companies are a favorite target for threat actors. Most of us are familiar with the Equifax and Capital One breaches that exposed hundreds of millions of customer records. But there are other attacks that don’t make the headlines. Over the years, the Carnegie Endowment’s FinCyber project has documented hundreds of separate cyber incidents impacting financial institutions around the world.
Cyberattacks can damage a firm’s reputation, disrupt business, and result in costly regulatory fines and legal settlements. (Equifax agreed to a $575 million settlement.) According to a 2022 IBM Security report, the average cost of financial services data breach is now $5.97 million, the highest of any industry other than healthcare.
Application Programming Interfaces (APIs) are so vital to modern software systems that a good design can make or break them.
API design is the process of creating interfaces that permit interactions between software systems. A poorly designed API can cause significant problems like poor performance and increased costs. Ultimately, this affects the user experience, so it’s important to design your API carefully.
Design your APIs with security in mind. Hackers can exploit security vulnerabilities in APIs to gain access to sensitive data.
Preparing for the Soon to be Updated OWASP API Security Top 10
The Open Web Application Security Project (OWASP) is a global non-profit organization dedicated to improving the security of software. The OWASP foundation first released a list of the top 10 security risks faced by APIs in 2019. This year, we’ll see the updated list for 2023 being published, which is currently in Release Candidate status soliciting contributions (https://owasp.org/www-project-api-security/announcements/2023/02/api-top10-2023rc.html).
Although 4 years is an extremely long time when it comes to computing, the fact remains that most organizations are still in the process of putting better API security controls in place to protect against the 2019 Top 10. Additionally, remember that the list contains ten categories of vulnerabilities, each category housing multiple vulnerabilities.
Comparing the lists, it is of little wonder that the 2023 RC one remains fairly close to the 2019 one. While #1 remains the same, the rest of the list has new language, new categories, and a shuffling of those that are still from the 2019 version.
One more thing…
Bill Gates famously stepped away from Microsoft a while ago, but now seems back to advising the company on matters of AI and LLMs.
In this episode of Behind The Tech with Kevin Scott he has Bill Gates on as a guest. With the rapidly evolving AI landscape, including the release of products like OpenAI’s ChatGPT and the new Bing, it was the perfect time to have Bill join to talk about this unique moment in the history of computing. In this episode, Kevin talks with Bill about the latest in AI research, including the release of GPT-4, how past technology revolutions have led us to where we are today, how AI is evolving his philanthropic work, his love of reading, and so much more!
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).