In more than one way, the year 2020 was different. The COVID-19 pandemic made us change our plans for the year, and it will have a lasting impact on 2021 and beyond. Let’s look to the future and see if we can predict what 2021 will hold for web application and API security. As API security gained attention and focus within organizations this past year, we predict that this trend will continue.
Prediction 1: API Security Matures
Observability and Shift-left have helped shed some light on API vulnerabilities, but those movements have not completely solved the problem. Because of the complexity of our security landscape, the reality is that few companies have put adequate resources into their API security programs. We’re hopeful that now that organizations have gotten their work-from-home and immediate pandemic related challenges under control, they can turn to API security, which ironically may have slipped into a more precarious state because of the 2020 crises.
With that, we predict that in 2021 we’ll see more focus on run-time API security and risk reduction. Its starts with getting visibility into the entirety of your API inventory – everything from legacy APIs, production and pre-production APIs and shadow APIs. With an inventory in hand, security and development teams will start uncovering the vulnerabilities and risks.
Notably, most organizations will have seen an increase in the use of microservices, driven by an incredible rise in Kubernetes-based architectures through 2020, and it will continue through 2021. This has a huge impact on the sheer number of APIs in use across the organization and the number of people who can deploy code with APIs – all potentially driving up API risk if proper management and oversight has not been put into place.
In response to this rise in APIs, we believe that enterprises will accelerate the creation of Digital Centers of Excellence to manage their holistic API security programs. A title – Chief Data Officer – who is responsible for data governance is on the rise and will continue to be the case in 2021. API security will not just have ramifications on the CISO’s charter. It will affect every touchpoint that consumers have with the brand, including mobile apps, websites, customer experience apps, chatbots, etc. These digital centers of excellence will quarterback API security rollout for the organizations with DevOps, CX, AppDev and other teams as key stakeholders.
Prediction 2: Consumer-focused Sites Will Continue as Prime Targets
As a result of shelter-in-place orders and the need to quarantine because of COVID-19, retailers have noted that 2020 became the year where their every-day online sales rivaled Black Friday volumes from years past. Coronavirus also had a big impact on restaurants, personal services, and healthcare, too. While the past year has been about scaling environments and modifying sites and mobile apps to handle increased online demand, the next year will pivot to focusing on securing those environments beyond what they are today.
Once pandemic restrictions are lifted you can be certain that things won’t go completely back to the way they were in early 2020. Too many people have grown fond of the convenience of curbside pickup and the delivery of goods direct to your door, so we expect these services to continue and even expand. Retailers, restaurants and even healthcare providers will also look to build more of the ease-of-use features of online apps into their physical experiences and locations. This will require businesses to open up more APIs into their traditional point-of-sale, inventory and healthcare applications, further expanding their risk exposure. In the upcoming year, we’re sure to see attacks continue to take the form of data breaches or account takeovers, but they also may materialize as new types of attacks. This may include denial of inventory, snatching up of delivery windows or appointments, content scraping, or malicious social media content manipulation.
In order to prevent these attacks, organizations need complete visibility into their APIs so that they can find and mitigate security risks before they are published or discovered by attackers.
Prediction 3: The Shopping Bot Reckoning
This holiday shopping season will likely be remembered as the one where we all shopped from home and lost out on hot ticket items not to other shoppers but to automated bots. The commercialization of specialized sneaker bots pivoted to generalized shopping bots as botters had dreams of making it rich by reselling Xboxes, PS5s, and Nvidia cards (and other hot items.)
5 year Google Trends data on search volumes for “shopping bot,” “PS5 bot” and “sneaker bot”
In 2021, we predict that consumers will demand that retailers do more to block shopping bots, forcing retailers to continue their efforts to protect their APIs and web applications from automated bot attacks. Loyal shoppers demand to be given a fair opportunity to purchase their favorite product, through the normal, human- not automation-based process, and manufacturers will reward the retailers who do the best job by giving them a bigger share of inventory. Controlling bots will also benefit the retailers by allowing them to rein in infrastructure costs and complexity caused by massive (automated) traffic spikes that mimic denial of service attacks, in some cases, bringing websites down and diverting significant resources from other projects.
The post Predictions 2021: Getting an Edge Against the Bots appeared first on Cequence.
*** This is a Security Bloggers Network syndicated blog from Cequence authored by Ameya Talwalkar. Read the original post at: https://www.cequence.ai/blog/predictions-2021-getting-an-edge-against-the-bots/