{"id":89037,"date":"2023-04-21T19:08:10","date_gmt":"2023-04-21T19:08:10","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4070649"},"modified":"2023-04-21T19:08:10","modified_gmt":"2023-04-21T19:08:10","slug":"api-security-becoming-c-level-cybersecurity-concern","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=89037","title":{"rendered":"API security becoming C-level cybersecurity concern"},"content":{"rendered":"<figure id=\"attachment_4070650\" aria-describedby=\"caption-attachment-4070650\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4070650\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/04\/api-security-becoming-c-level-cybersecurity-concern.jpg\" alt=\"Top of Akamai building with Akamai logo in blue and orage\" width=\"1400\" height=\"933\"><figcaption id=\"caption-attachment-4070650\" class=\"wp-caption-text\">July 30, 2019 Santa Clara \/ CA \/ USA \u2013 Akamai sign displayed at their headquarters in Silicon Valley; Akamai Technologies, Inc. is an American content delivery network (CDN) and cloud service provider<\/figcaption><\/figure>\n<p>Akamai Technologies announced this week that it will acquire privately funded application programming interface threat detection and response firm Neosec, a finalist in the 2022 RSA Conference Innovation Sandbox Contest. The deal is set to close in June. Neosec\u2019s employees, including co-founder and chief executive officer, Giora Engel, and co-founder and CEO, Ziv Sivan, are also expected to join Akamai\u2019s security technology business.<\/p>\n<p>The acquisition speaks to the wake-up call moment: the growing importance of API risk detection and attack remediation as part of always-on detection and response, and the ascendance of more holistic security platforms.<\/p>\n<p>In the latter circumstance, IT companies like <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/umbrella\/index.html#~software-benefits\">Cisco<\/a>, Check Point and others are offering a holistic single platform alternative to a multiple-vendor approach \u2014 one focused on myriad security software-as-a-service solutions to specific vulnerabilities \u2014 rather like dozens of proverbial Hollanders plugging known leaks with their thumbs but not addressing the big picture.<\/p>\n<p>Rupesh Chokshi, general manager of application security at Akamai, explained that the acquisition brings much-needed expertise in API to Akamai.<\/p>\n<p><strong>SEE:<\/strong> Coordinated cybersecurity is security aligned with <a href=\"https:\/\/www.techrepublic.com\/article\/withsecure-cybersecurity-report-flawed\/\">business goals<\/a> (TechRepublic)<\/p>\n<p>\u201cThere are a number of things we have become really good at, but we haven\u2019t focused on API interactions. With this new capability we are able to see anomalies: Why are these calls being made? What is the data shared or traversed, what known vulnerabilities are we seeing? We will now have the ability to quickly alert the customer that this is what\u2019s going on,\u201d Chokshi said.<\/p>\n<p>Mani Sundaram, executive vice president and general manager of the security tech group at Akamai said, \u201cEnterprises expose full business logic and process data via APIs, which, in a cloud-based economy, are vulnerable to cyberattacks. Neosec\u2019s platform and Akamai\u2019s application security portfolio will allow customers to gain visibility into all APIs, analyze their behavior and protect against API attacks.\u201d<\/p>\n<h2>API attacks on the rise<\/h2>\n<p>Security firms are seeing a brisk increase in API threat activity. Salt Security, in its March <a href=\"https:\/\/salt.security\/press-releases\/latest-salt-security-state-of-api-security-report-shows-400-increase-in-attackers-finds-api-security-has-become-a-c-level-discussion\">State of API Security<\/a> report noted a 400% increase in attackers over the prior six months. The report also found:<\/p>\n<ul>\n<li>80% of attacks happened over authenticated APIs.<\/li>\n<li>Nearly half of respondents now state that API security has become a C-level concern.<\/li>\n<li>94% of survey respondents experienced security problems in production APIs in the past year.<\/li>\n<li>70% said their organizations suffered a data breach as a result of security gaps in APIs.<\/li>\n<\/ul>\n<p>One example illustrates how effective a relatively simple API attack can be: the NCC Group, in its 2022 annual <a href=\"https:\/\/www.nccgroup.com\/us\/annual-threat-monitor-report-2022\/\">Threat Monitor<\/a>, noted that Australian telecom Optus had the personal information of 10 million customers exposed in a data breach accessed through an exposed API.<\/p>\n<p>Roey Eliyahu, co-founder and CEO, Salt Security noted that while APIs are powering digital transformation delivering new business opportunities and competitive advantages, \u201cThe cost of API breaches, such as those experienced recently at T-Mobile, Toyota and Optus, put both new services and brand reputation, in addition to business operations, at risk.\u201d<\/p>\n<p>Akamai\u2019s <a href=\"https:\/\/www.akamai.com\/resources\/state-of-the-internet\/slipping-through-the-security-gaps-the-rise-of-application-and-api-attacks\">State of the Internet<\/a> report noted the inclusion of API vulnerabilities in the upcoming Open Web Application Security Project API Security Top 10 release is emblematic of growing industry awareness of API security risks.<\/p>\n<h2>Risk grows with increased speed of software development<\/h2>\n<p>The Akamai report cites two factors driving the increase in API attack volume. One is acceleration in the application development lifecycle, which \u201crequires a faster turnaround in creating and deploying these applications in production, which could result in a lack of secure code,\u201d said the report.<\/p>\n<p>Akamai cited Veracode\u2019s <a href=\"https:\/\/www.veracode.com\/blog\/secure-development\/new-esg-survey-report-modern-application-development-security\">Enterprise Strategy Group<\/a> survey, in which 48% of organizations stated that they release vulnerable applications into production because of time constraints (<strong>Figure A<\/strong>).<\/p>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4070654\" aria-describedby=\"caption-attachment-4070654\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4070654\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/04\/api-security-becoming-c-level-cybersecurity-concern.png\" alt=\"graph for The top verticals impacted by web application and API attacks, 2021 vs. 2022.\" width=\"1400\" height=\"723\"><figcaption id=\"caption-attachment-4070654\" class=\"wp-caption-text\">Image: Akamai. The top verticals impacted by web application and API attacks, 2021 vs. 2022.<\/figcaption><\/figure>\n<p>Akamai also reported the number of vulnerabilities is on the rise, with one-tenth of all vulnerabilities in the high or critical category found in internet-facing applications. The report also said open source vulnerabilities like Log4Shell doubled between 2018 and 2020.<\/p>\n<h2>Attackers see APIs\u2026 but do you?<\/h2>\n<p>Akamai said that among other things, Neosec\u2019s solution provides visibility of APIs \u2014 which is of critical importance because organizations often don\u2019t know where, or how many APIs they have below the digital decks.<\/p>\n<p>\u201cThat is priority number one,\u201d said Chokshi. \u201cIn security language, it\u2019s discovery and visibility. And it\u2019s going to be interesting because customers want the baseline: they want to understand (their API exposure).\u201d<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>Because large organizations can have thousands of apps, they often want to focus on high-risk APIs, because they can\u2019t handle everything at once, he added.<\/p>\n<p>\u201cThey are using lots of different exit points, API gateways like (Google Cloud\u2019s) <a href=\"https:\/\/cloud.google.com\/apigee\/\">Apigee<\/a>, or <a href=\"https:\/\/konghq.com\/\">Kong<\/a>, or load balancers like <a href=\"https:\/\/www.f5.com\/\">F5<\/a>, so there\u2019s this whole complexity that each enterprise environment has that we have to work with customers to tackle as we go forward. The end objective would be visibility and discovery figured out, and intelligence, and then work on protection: How much of this can we do with blocking, how much with response and can we automate?\u201d Chokshi said.<\/p>\n<p>Former FBI Special Agent Dean Phillips, executive director of public sector programs at API security firm Noname said the risks are multiplied by visibility issues, a perennial problem with enterprises with large and growing numbers of integrated applications and interfaces.<\/p>\n<p>\u201cWe have found that in private security upwards of 30% of APIs that are active in an environment are unknown by users,\u201d he said \u201cSo there is quite a lot that goes on that users just aren\u2019t aware of, including movement of sensitive data, not just names and addresses but social security numbers, birthdays, that the application doesn\u2019t necessarily need or use. It\u2019s a major problem. If you don\u2019t know what you have, or what it\u2019s&nbsp; doing, how do you protect it?\u201d<\/p>\n<h2>Rising API attack incidents in 2022<\/h2>\n<p>According to Google Cloud Cybersecurity Action Team\u2019s April 2023 <a href=\"https:\/\/services.google.com\/fh\/files\/blogs\/gcat_threathorizons_full_apr2023.pdf\">Threat Horizons Report<\/a>, the rise in API compromise was a factor in one-fifth of incidents last year. According to the report, customers delayed security upgrades because \u201cthey worried that such upgrades might also bring unanticipated API changes, which might undermine their applications\u2019 functionality.\u201d<\/p>\n<p>The report said, however, that APIs do not actually change with minor upgrades, addressing Kubernetes cluster\u2019s overall operating environment, and the scope of the updates can be controlled. \u201cCustomers were not always aware of this configuration option, however,\u201d the report said.<\/p>\n<h2>Growing focus on API security<\/h2>\n<p>Because of the ubiquity of APIs as intermediaries in more and more cloud native transactions, Chokshi said he sees the API security market potentially becoming a security superset.<\/p>\n<p>\u201cThe interactions will be that much greater because of areas like the automotive industry, healthcare, and smart cities, versus classic end user or mobile applications,\u201d he said.<\/p>\n<p>\u201cYou also have a lot of businesses where APIs are critical to the back end: A customer is trying to open an app or account, and in the back end there is a credit check, or other actions. More and more business-to-business transactions taking place in this cloud economy, including supply chains, are API-driven. The API market, in general, is rapidly growing and the tooling that is required to keep up is lacking. Security becomes even more important because of that,\u201d Chokshi added.<\/p>\n<p>Phillips agrees APIs are an energetic space. \u201cIt\u2019s becoming white hot, and lots of folks are trying to get involved in API security because there\u2019s a growing recognition that they are the number one attack vector,\u201d he said, noting that in 2022, Gartner had estimated that by last year, APIs would be the No. 1 attack vector. \u201cAnd we have seen tremendous growth,\u201d Phillips said.<\/p>\n<h2>API surveillance joins the platform<\/h2>\n<p>Alamai\u2019s acquisition follows a shift away from single-point solutions to comprehensive services \u2014 from products to platforms \u2014 the virtues of which industry <a href=\"https:\/\/www.gartner.com\/en\/documents\/4006252\">consultants<\/a> have been extolling for years.<\/p>\n<p>\u201cIt\u2019s a constant conversation between best-of-breed technology and platform solutions,\u201d said Wendi Whitmore, SVP of Palo Alto Networks\u2019 Unit 42 team. \u201cThe discussion previously had been one or the other. I will say that our ability to provide a much broader range of solutions across technology is really compelling, and I will say the majority of our products are best of breed. It will be tougher for organizations to compete in a world solving one small problem,\u201d she said. \u201cThere is never one single silver bullet. It\u2019s too complex today.\u201d<\/p>\n<p>Chokshi said Akamai\u2019s acquisition \u2014 and a security-platform approach to cyberdefense \u2014 allows the firm to benefit from adjacency so that an attacker doesn\u2019t get lost in transit between one point of visibility (or security product if the organization is using multiple vendors) and another. \u201cWe are already providing a high level of protection, they are comfortable with our portals and platforms and so this becomes an additional capability in that same continuum.\u201d<\/p>\n<p>Phillips, who said Noname employs a \u201cleft of boom\u201d approach \u2014 essentially shifting left to address API vulnerabilities before an incident makes them obvious \u2014 predicts there will be more consolidation that brings API security capabilities under the aegis of major players. \u201cThere\u2019s enough recognition in the industry that API security is growing. APIs have been around for a long time but recognition of vulnerabilities hasn\u2019t. Attacks are increasing but the question becomes what\u2019s the impact? Is the pain of the attack enough to drive action?\u201d<\/p>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>July 30, 2019 Santa Clara \/ CA \/ USA \u2013 Akamai sign displayed at their headquarters in Silicon Valley; Akamai Technologies, Inc. is an American content delivery network (CDN) and cloud service provider Akamai Technologies announced this week that it will acquire privately funded application programming interface threat detection and response firm Neosec, a finalist [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":89038,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,287,27],"tags":[],"class_list":["post-89037","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-security","category-software"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/89037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=89037"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/89037\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/89038"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=89037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=89037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=89037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}