Remember when software used to come on CDs packaged in shrinked-wrapped boxes, or even before that, on floppy disks?
Related: Memory-based attacks on the rise
If you bought a new printer and wanted it to work on your desktop PC, you’d have to install a software driver, stored on a floppy disk or CD, to make that digital handshake for you.
Today software is developed and deployed in the cloud, on the fly. Modular coding components, called microservices, written by far-flung third-party developers, are mixed and matched and reused inside of software containers. And each connection — each handshake, if you will — is made possible by a rather delicate piece of coding called an Application Programming Interface, or API.
Without APIs there would be no cloud computing, no social media, no Internet of Things. APIs are the glue that keeps digital transformation intact and steamrolling forward. But APIs also comprise a vast and continually-expanding attack surface.
I had a very informative discussion at RSA 2019 with Himanshu Dwivedi and Doug Dooley, CEO and COO, respectively, of Silicon Valley-based application security startup Data Theorem, which is focused on helping companies come to grips with this humongous exposure. For a full drill down, give a listen to the accompanying podcast. Here’s what I learned from them:
APIs have been a cornerstone of our digital economy from the start. Without them, cloud-based software-as-a-services wouldn’t exist. Today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.
Dooley uses the analogy of the relationship between a waiter and a customer. “API is a way to take an order and fulfill that order. You have one microservice and then get another microservice and these pieces want to connect and collaborate with each other, you’re typically going to do that through an API. That’s how they’re going to transfer data in, hopefully, a secure channel to pass information back and forth with each other.”
However, APIs are also more frequently the source of data breaches and other cyber incidents. With all of these microservices, that means there is a lot of code floating in the cloud, and it is difficult to inventory.
No one really knows exactly how many APIs are out there. A typical Android or Apple smartphone uses a certain number of APIs to essentially power up and be ready for use. A dozen or more additional APIs come into play to activate each mobile app on a phone, so one handset alone typically relies on hundreds of APIs to fully function.
And that’s just one phone. Imagine how many APIs come into play in a mid-sized or large organization running a hybrid cloud network. “If I go to a CSO and say, ‘We can secure your APIs,’ he’ll say, ‘Great, can you also find them for me?’ ” observed Dwivedi, Data Theorem’s founder.
Velocity without security
Developers are writing software faster, quicker and more efficiently than 20 years, he added. This has created some new problems for security teams because there is no particular place where they can look to address potential security problems at the API level.
This dynamic came into play at the U.S. Postal Service. In late 2018, the USPS Informed Delivery service was hit with a massive data breach, exposing 60 million records. The problem wasn’t a hack, but a broken API.
In this case, the API was supposed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages,” according to Brian Krebs.
Instead, what it did was allow anyone with a usps.com account to modify a wildcard search without authentication permissions. “That could open the door for mass harvesting of information that could be leveraged for high-volume – but very targeted — phishing or social-engineering efforts, although USPS says that there’s no evidence that the flaw was exploited,” Tara Seals wrote for ThreatPost.
It also showed the weaknesses in APIs, primarily how difficult it is to provide adequate security for them.
Big white elephant
Because companies can’t protect APIs with traditional means, like firewalls, they must find other ways to secure them. Problem one in doing so is that when APIs are developed, security is not in the loop. Dooley argued that some type of continuous discovery loop is needed.
API discovery is like finding the Holy Grail; knowing those APIs are there can change everything about your approach to security. However, Dooley added, what you learn about APIs today will be different in a week. There could be hundreds more; there could be dozens fewer. For security to work, there needs to be 24/7 awareness.
“Once you know what you have you,” Dooley continued, “you need to do a deeper level of inspection to understand if authentication, authorization, availability, and encryption are working as it is supposed to.” This is essential in industries that are heavily regulated and store very sensitive data, like healthcare and finance.
APIs are all about connecting and collaborating to share information, but care needs to be taken to ensure that sensitive data is not left naked on the internet. Access to sensitive systems and data should always require high levels of authorization and authentication, Dwivedi told me.
The skyrocketing use of APIs to enable digital transformation has put organizations in difficult position, Dwivedi say. They simply can’t keep up.
Dwivedi and Dooley made it clear to me that, at this juncture, expanding API exposures represent a big white elephant in just about every organization, you care to name. This is not going to get resolved quickly. It’s encouraging that Data Theorem and other security vendors are innovating in this space, and striving to give companies viable tools and processes to mitigate API risks. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Last Watchdog’s Sue Poremba contributing.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-data-theorem-helps-inventory-sprawling-apis-as-the-first-step-to-securing-them/