Nick Rago, Field CTO at Salt Security, discusses the critical role of Chief Information Officers in fortifying API security against the backdrop of increasing cyberthreats and the evolving demands of Digital Transformation.
As the world continues to become more digitally driven in business and society alike, Chief Information Officers (CIOs) play a pivotal role as the propelling force behind innovation. Though it must not be forgotten that their responsibilities extend far beyond merely ensuring businesses and consumers have swift and seamless access to data and services; they are now at the forefront of managing and implementing the technologies crucial for the operation and scalability of a business.
Moreover, in the face of escalating cyberthreats worldwide, safeguarding against malicious actors has become a central facet of a CIO’s role. Recent research indicates that 70% of CIOs anticipate an increased involvement in organisational security practices and procedures this year.
APIs represent a vulnerable attack vector in the digital world
Application Programming Interfaces (APIs) are the building blocks of the modern Internet, including the services that businesses provide both internally to employees and externally to customers or partners. APIs have changed the way we build applications and deliver information and have become integral to Digital Transformation success.
APIs also play a huge role in the success of Artificial Intelligence (AI) initiatives, as AI relies on information to thrive; and that information is fed and consumed through APIs. However, with the increased reliance on APIs, the abuse of them has also become one of the primary security concerns faced by CIOs as APIs are swiftly emerging as the most frequent vector for cyberattacks.
The recent breaches at T-Mobile and Optus, where sensitive Personal Identifiable Information (PII) and data of millions were exposed, underscore the vulnerability of APIs to exploitation by malicious entities. The potentially sensitive nature of the data and information being handled, along with the interconnectedness of critical services using APIs, makes them an attractive target for attackers seeking a channel to exfiltrate data, or produce unauthorised system access and lateral movement within an organisation’s network.
Challenges for CIOs posed by APIs
The challenge for CIOs lies in striking a delicate balance between driving rapid innovation and progress while ensuring the security of the business. API security stands out as a crucial intersection point. And while cloud security is widely recognised as essential in today’s environments, and AI security has been a major topic of concern in recent months, they are also intricately linked to API security, making it not only a security team concern but a broader business problem and, consequently, a CIO’s problem.
In fact, the latest Salt Security State of API Security report indicated that nearly half of businesses believe that API security has become a C-level discussion over the past year.
The adoption of API first methodologies has resulted in a proliferation of APIs throughout an organisation’s infrastructure. And those APIs, by their very nature, require constant and regular updating. With every new API added or existing API update comes the possibility of an unexpected outcome or potential misconfiguration.
As we know, security teams are already overstretched, understaffed and lacking sufficient budgets, therefore the prospect of securing this sprawling and always changing potential attack surface may seem daunting.
Given the challenges and their importance to the business, it is of no surprise that the eyes of many C-suites have turned towards APIs as a business issue that can not be ignored. In fact, recent findings indicate that highly regulated industries such as technology, financial services and energy/utilities companies are where execs are keeping the closest watch.
Unfortunately, API attackers don’t necessarily even need to be clever with their attacks; APIs are very manipulable and susceptive to business logic attacks, which provide a low barrier to breach for threat actors. Take for example the Experian incident that allowed unauthorised access to credit scores and other highly sensitive information just by entering easily obtained personal information. In addition to business logic flaws, attackers are well aware that many organisations are struggling to govern the security posture of their always evolving API landscape, resulting in misconfigurations that an attacker can easily take advantage of.
Furthermore, in the case of API protection, traditional web security tools such as WAFs and specialised API lifecycle technologies, such as API gateways, were designed for different purposes, and lack the capabilities required to detect and defend against the majority of API attacks that are occurring today, such as a business logic attack. Coupled with an increase in attackers – which have risen by over 400% in recent time – it’s no surprise that existing infrastructure investments are inadequate to keep up.
Fortifying defences against API attacks
To fortify the security posture of APIs, CIOs can take several strategic initiatives in collaboration with their security teams. For instance, asset management, a foundational IT best practice, is critical for API security. CIOs need to establish a robust governance strategy for APIs, ensuring a comprehensive inventory of all APIs within their infrastructures, including their purpose, the classification of data associated with their use, the business area/owners they are related to, and the overall security posture of every endpoint.
Without visibility into the entire API landscape, effective management and risk reduction is unattainable. Governance programmes should also prioritise continuous API inventory assessment to uncover and document ‘shadow APIs’ that often elude traditional governance platforms. Taking action to limit this API sprawl before it becomes wholly unmanageable becomes an imperative to modern business and a priority for CIOs. Lastly, a good governance programme should also mandate and assess corporate and regulatory security posture standards throughout an APIs lifecycle.
Educating the wider organisation about API risks is another key initiative. CIOs should spearhead efforts to enhance understanding across teams regarding common API security threats, drawing on resources such as the OWASP API Security Top 10 list. CIOs should also ensure corporate standards for acceptable API posture are properly documented. Collaborating with security teams, CIOs must implement API programmes capable of ongoing monitoring for finding lapses in security posture and prevalent API abuses to limit the organisation’s exposure to cyberattacks. Furthermore, with developers rapidly deploying APIs into production, a safety net of runtime protection becomes imperative to shield both known and unknown APIs.
In addition, CIOs can drive API security initiatives by raising organisational awareness about the potential risks and costs associated with API incidents. API breaches can have severe financial repercussions, with recent estimates placing the aftermath costs for Optus at a staggering AU$140 million. CIOs play a pivotal role in cultivating a security-aware environment across development, IT, and security teams, fostering collaboration to understand and mitigate these risks.
In conclusion, to counter the ever-evolving tactics of malicious actors, CIOs must grasp the intricacies of the API landscape. APIs, as the foremost business enabler and the primary attack vector, demand stringent security measures. CIOs, as leaders in technology strategy, must introduce comprehensive API strategies and controls, encompassing a complete API inventory and fostering cross-functional understanding of the most significant API threats and associated business risks. This proactive approach is essential not only for reducing overall risk but also for maintaining a fast-paced, innovation-focused trajectory for their companies.