Salt Security today extended its security platform for application programming interfaces (APIs) to include the ability to visually depict API call sequences, create attack simulations before APIs are released into production and gain insights into attacker behaviors and patterns.
Elad Koren, chief product officer for Salt Security, said the latest version of the Salt Security API Protection Platform will make it easier for cybersecurity teams to hunt for API threats that are otherwise often difficult to detect.
In fact, Salt Security is now the first API security vendor to offer visual depictions of the various paths an API calls to make it easier to identify anomalous behavior, he added.
Simulations, meanwhile, enable cybersecurity teams to identify business logic flaws before APIs are deployed, noted Koren.
In the last several months, there has been a lot more focus on API security as organizations review software supply chains in the wake of a series of high-profile breaches of application security. Historically, the challenge has been that many cybersecurity teams tended to view application security as being the responsibility of application development teams. Those teams, however, don’t have much security expertise and generally view security as being outside their core responsibility. Application security, as a result, often winds up being underfunded.
Cybercriminals are increasingly focusing on APIs specifically because they are easily misconfigured and can allow cyberattackers to exfiltrate data. A recent Salt Security State of API Security Report found that 86% of survey respondents lacked confidence in their ability to identify which APIs expose sensitive data. Organizations also lose track of so-called zombie APIs that are abandoned after being created but are never removed from a production environment.
In general, it’s now only a matter of time before organizations allocate more funding to API security as the number of applications that expose APIs continues to rapidly increase, said Koren. In some cases, that funding will be allocated as part of an application quality assurance initiative while in other instances cybersecurity teams will be tasked with strengthening application security. Salt Security is making a case for a security platform that leverages big data and machine learning algorithms to create a baseline of activity across millions of users and API calls to enable organizations to achieve that goal.
It’s not clear just how much data is being lost today via compromised APIs but as other elements of IT environments become more secure, cybercriminals will inevitably look for other avenues of attack to exploit. It may require more skill, time and effort to compromise an API but as organizations embrace digital business transformation initiatives, the data being exposed via APIs becomes richer and more valuable. One way or another, the level of collaboration between cybersecurity teams and application developers required to address that threat need to improve.
Fortunately, more organizations are starting to adopt DevSecOps best practices for building and deploying applications. Those best practices should, by extension, also be applied to the APIs that are routinely relied on to integrate those applications.