2023 The Year of Redefining API Security
With the start of a new year, most security firms feel obligated to dust off their crystal ball (AI-driven, of course) and cart out their predictions for the coming year. With such tradition, how could we resist to do otherwise. Rather than simply prognosticate, we turned to customer conversations to reflect what is already happening. Organizations are quickly waking up to the big stakes of not monitoring and protecting APIs and how traditional API security approaches are largely inadequate to meet these challenges.
APIs Carry the Crown Jewels of a Business – Ignore Their Security at Your Peril
Today, for nearly every new project or service that a business creates, cloud is now the norm, and APIs are the connective tissue. New levels of seamless workflows, speed and cost-reduction all rely on business APIs connecting an organization’s most important systems and data to customers, partners, suppliers and other third parties. Because of these connections, stealing data from APIs is the new frontier for a data breach. APIs also enable misuse and fraud in never-before-imaginable ways. Attackers are changing tactics and going after any API they find. But the problem for most organizations is that they don’t have an inventory of their API estate, let alone see any of these attacks, because APIs are typically unprotected.
Discovery Broadens from Cloud Assets to Business APIs
While last year saw organizations worry about discovering assets in cloud environments, the problem of discovery is now focused on finding APIs in any environment. Organizations are understanding that API usage has skyrocketed, but they have no idea how many they expose or use. APIs are the latest security blind spot, and as we all know, you have to discover it before you can govern it. Adding API discovery and visibility will be a major emphasis of 2023.
Privacy by Design for Security Product
Security products have sometimes added problems while solving others. Sometimes compliance and risk have been compromised through the use of security tools. In solving the API security challenge, it is essential that solutions are built with a privacy by design mindset to ensure they solve the problem without creating new ones. This is exactly why Neosec uses tokenization to ensure compliance and lessen risk while enabling discovery and behavioral monitoring of business APIs.
Location Doesn’t Matter When Business APIs are Used
A close focus on cloud assets has resulted in security solutions and practices put in place to minimize vulnerability in environments not exclusively under the control of a company. Now, as we move into 2023 and see a continual growth of business APIs, organizations will realize that the most critical attack surface may be the APIs themselves, regardless of whether the asset is on-prem or in the cloud.
While API security has largely been about API vulnerabilities as well as authorization and authentication, 2023 will see practitioners rapidly adopt the means for automated, continuous API discovery and behavioral monitoring and analytics to know about all APIs in use and protect against misuse, abuse and fraud within them.
Putting Security Back Into the Development Process
One ongoing trend that continues into 2023 is that ‘human error’ is still one of the primary causes of breaches. Because of this, Rinki Sethi, VP and CISO of Bill.com and former CISO of Twitter, sees a change coming: “The human risk management space is getting more attention. The product security space is shifting left.” As companies put more emphasis on DevSecOps, we will see more testing of code and a drive toward more innovation. Securing APIs will be an integral part of protecting valuable internal data and business logic during this process.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Edward Roberts. Read the original post at: https://www.neosec.com/blog/2023-the-year-of-redefining-api-security
