Noname Security Adds API Security Reconnaissance Capability
Noname Security today added a Noname Recon module to its platform for securing application programming interfaces (APIs) that makes it possible to discover active patterns being employed by cybercriminals.
Dor Dankner, head of research for Noname Security, said the company is now scanning public sources to surface threat intelligence concerning attacks being made against APIs. Armed with those insights, it then becomes feasible for organizations to better protect their application environments before similar attacks are launched against them, he added.
Early adopters of Noname Recon have already uncovered several API security issues, including secret keys stored in public code repositories, leaked internal documentation and misrouting that allowed cybercriminals to bypass web application firewalls (WAFs) and content delivery networks (CDNs), Dankner said.
As the number of APIs used across distributed computing environments increases exponentially, securing these endpoints has become more challenging. According to a survey of 600 senior cybersecurity professionals in the U.S. and the United Kingdom, conducted by Opinion Matters on behalf of Noname Security, more than three-quarters of respondents (76%) reported they have already experienced an API security incident in the last 12 months.
It’s not clear how many attacks are being launched against APIs, but securing them is clearly becoming more challenging as different types of APIs are employed, Many IT organizations, for example, are now adopting APIs based on GraphQL alongside large numbers of existing REST APIs.
The biggest issue when it comes to API security is, as always, simply determining who is responsible for it. Application security has always required a level of collaboration between IT security teams and application developers that has been difficult to achieve. In theory, responsibility for securing APIs is shifting left toward developers and DevOps teams. In practice, however, the level of security expertise among application development teams remains uneven, so most of the responsibility for API security still lies with application security teams. The goal should be to define a set of DevSecOps best practices that secure APIs alongside all the components that make up a software supply chain.
The cybersecurity team continues to operate much like a police force to protect the environment while the rest of the community works together to make it more challenging to compromise the integrity of an application environment, noted Dankner. The challenge is that an API that is internally facing today may require one level of security now but requires another level if business conditions change and it suddenly becomes externally facing.
Regardless of the approach to API security, the need to secure other APIs much like any other endpoint is becoming more apparent. Unfortunately, many organizations are going to learn that lesson the hard way this holiday season, but overall the state of application security continues to steadily improve. In fact, it’s now a race against time to better secure APIs before data is exfiltrated through them.
