Phishing, misconfigurations and lacking patches are prime issues amongst safety leaders, however in addition they say their organizations are letting observability instruments collect rust.
Content material supply, safety and cloud companies firm Akamai, in partnership with U.S. cybersecurity coaching firm SANS Institute, launched on Tuesday the outcomes of a brand new examine analyzing probably the most worrisome safety dangers associated to APIs. The 2023 SANS Survey on API Safety discovered that the highest danger is phishing assaults.
As well as, the 2023 international survey, which polled 231 utility safety professionals, discovered that fewer than 50% of respondents have API safety testing instruments in place and solely 29% have API discovery instruments. It additionally discovered that solely 29% of respondents use the API safety controls which can be already included in DDoS and cargo balancing companies.
Prime six API safety dangers
When requested what they perceived as the highest API safety danger, respondents most frequently mentioned:
- Phishing to acquire reusable credentials (38.3%).
- Attackers exploiting lacking patches (24%).
- Attackers exploiting susceptible functions/APIs (12%).
- Misconfiguration of servers/companies by system directors (12%)
- Unintended disclosure of delicate/lined data by customers (9.1%).
- Denial of service (2.3%) (Determine A).
API proliferation makes safety challenges extra advanced
Akamai reported earlier this 12 months that 2022 broke data for utility and utility programming interface assaults. A part of the issue is the sheer variety of APIs in use by organizations, which is a matter that matches properly into the “you don’t know what you don’t know” danger bucket.
John Pescatore, director of rising safety tendencies at SANS and writer of the 2023 examine, identified that the proliferation of APIs is emblematic of how complexity is the enemy of safety. He additionally defined how the very nature of distributed functions will increase the menace floor for attackers and the probability of vulnerabilities being a part of manufacturing code.
Within the new examine, Akamai cites a report by 451 Analysis that states the common enterprise has greater than 15,000 APIs in use. To present a way of the amount of assaults, Akamai earlier this 12 months reported that on at some point, Oct. 8, 2022, there have been 161 million API assaults worldwide.
SEE: The C-suite considers API safety a prime concern (TechRepublic)
In accordance with the report, the survey’s respondents mentioned they deliberate to shut API safety gaps sooner or later with:
- Internet safety gateways (14%).
- API safety features in content material supply community/load balancing (13%).
- Internet utility firewalls (13%).
- Dynamic utility safety testing (13%) (Determine B).
Zero-day dangers getting an excessive amount of credence, misconfiguration not sufficient
The Akamai examine means that respondents are giving too little weight to the chance of misconfigured functions and an excessive amount of to zero-day dangers, in line with Rupesh Chokshi, basic supervisor of utility safety at Akamai.
“A company’s API safety plan ought to embody constructing safe APIs and configuring functions appropriately. On the identical time, organizations ought to perceive zero-day dangers, reminiscent of how APIs change into susceptible and vulnerable to exploitation. The excellence is vital as a result of it reveals that sturdy API safety wants to offer important weight to each facet of the API lifecycle; in any other case, vulnerabilities might be missed,” mentioned Chokshi.
Closing the door to utility layer misconfigurations
Ory Segal, chief expertise officer of Palo Alto Networks Prisma Cloud, concurred that misconfiguration in fashionable, cloud-native functions poses a considerable danger that’s regularly underplayed by organizations.
“Sadly, many focus their consideration in the direction of zero-day dangers and recognized vulnerabilities in open supply software program packages (i.e., frequent vulnerabilities and exposures). Nonetheless, statistics and actuality present that attackers usually tend to exploit utility layer misconfigurations, exposing organizations to important danger and potential knowledge breaches — simply take a look at the variety of latest breaches involving publicly open cloud storage buckets.”
Amongst Segal’s suggestions:
- For expediting configuration administration, infrastructure as code scanning can present consistency in configuration and scale back human error.
- Enhancing API observability is important. This may be achieved by implementing sturdy logging and monitoring.
- Detailed logs, together with API calls, response occasions and error messages, can provide invaluable insights into the efficiency and safety of APIs.
- Automated anomaly detection can help in figuring out uncommon actions indicative of a possible assault.
- For extra complete API safety, adopting the precept of least privilege is beneficial, permitting every person solely the minimal ranges of entry essential to carry out their duties.
- Common audits and automatic testing for frequent safety points, reminiscent of injection-based assaults, can assist guarantee the continued safety of APIs.
Correct API hygiene: Inventories, patches, menace evaluation
Pescatore wrote that a company’s API safety plan ought to embody:
- Stock of APIs in use and processes that use these APIs.
- Vulnerability evaluation of APIs in use.
- Risk evaluation of lively assaults exploiting these vulnerabilities.
- Danger-based mitigation of vital API vulnerabilities.
Sixty-two % of respondents to the survey mentioned they use net utility firewalls as a part of API danger mitigation, and 79% of survey takers reported coaching growth workers on utility safety. Additionally, 57% of respondents reported API stock accuracy of between 25% and 75%.
SEE: Gigamon report shines gentle on deep observability (TechRepublic)
“Safety hygiene controls like sturdy authentication, asset stock, vulnerability administration and alter management want to handle API safety points,” Pescatore wrote. “Prevention and detection must be upgraded to cope with API-centric assaults, and infrastructure companies (reminiscent of content material supply networks and denial of service filtering) must be put to work as properly.”