For sure, API adoption in the region has been surging. However, gaps in API risk management are waiting to be exploited!
As digitalization continues to advance at an unprecedented pace, so will the complexity of application programming interface (API) security.
The consequences of an API breach can be severe for both businesses and consumers alike. Organizations will therefore need to develop a better understanding of their API environments and the risks involved.
CybersecAsia had a chance to interview two Akamai security decision makers: Patrick Sullivan, CTO, Security Strategy; and Reuben Koh, Director, Security Strategy (Asia Pacific & Japan) on APIs’ impact on the cybersecurity landscape this year.
CybersecAsia: How will cybersecurity and threats look like this year?
Patrick Sullivan (PS): The first point to call out would be the continuation of attacks on APIs. That is a result of the dependence we have on APIs, across almost every major vertical like healthcare and financial services.
During the COVID-19 pandemic, the APJ region saw a lot of digital transformation, and APIs were the tip of the spear to drive transformation. Even after exiting the pandemic, organizations realized that APIs are here to stay, and we saw an acceleration in APIs across the board — from financial institutions participating in open banking, cross-border payments, blockchain adoption, and smart contracts. This soon became a prime target for cybercriminals, especially as the immense amount of data that is going through the APIs is so much more than what we had anticipated using legacy applications.
Another area we are seeing a big regional uptick in is: ransomware. Techniques will keep evolving, and businesses will need to remain ever-vigilant. The onus will be on companies to invest in zero trust architecture and micro-segmentation, and get holistic visibility to protect critical assets and remain operational even if they get compromised.
Another threat is a rise in DDoS attacks. This year, we will see more people vote in elections than any year in history. Geopolitical tensions have increased, which has also driven a lot of DDoS activity around the world.
CybersecAsia: How can organizations address the growing risks of API usage?
PS: Because of all the data that is transferred back and forth, cybercriminals will see APIs as a prime target — to exploit and obtain the high value of sensitive information — rather than going head-on against a big application that is sitting behind a firewall and figuring out how to break into it. The supply chain is also at risk, and for some industries like healthcare, the stakes are higher.
Therefore, organizations need to understand that APIs are one of the largest application attack surfaces that they simply cannot ignore. So, prioritize API security as they move towards the widespread uptake of multi-cloud platforms and cloud-native applications that will cause the API attack surface to expand. However I do not think we are at that maturity level yet, as developers have been building APIs much more quickly than security architects have been documenting and securing them. Many organizations are still taking the first step in understanding where their APIs and attack surfaces are.
Reuben Koh (RK): For some organizations, APIs are number one because they have seen developers in the business move very quickly down that path. Security follows the business, as they would need to reduce risk in shifting to an API-first business model. For other organizations, the supply chain is number one, as they embrace innovation and technology partners that come with businesses going digital.
All this opens up opportunities for ransomware attackers to exploit the various parts involved in the supply chain. If attackers find a vulnerability in any aspect, it will affect the supply chain of so many organizations. We have seen some of the world’s most sophisticated financials decline to do business with any organizations that fall below a certain security level. Not all organizations follow this system, where security has the veto power, but as we have seen businesses incur costs from very expensive attacks, it is likely that more organizations will stop accepting the risks of working with businesses that do not treat security as a priority.
To stay ahead of present and foreseeable threats, businesses need to constantly re-evaluate their security posture and controls and stay updated on the latest attack trends. To effectively combat the evolving threats, security and anti-fraud teams require access to more comprehensive and informed data, supported by ongoing threat research, enabling them to respond effectively.
Traditional, rigid security methods are inadequate in addressing the complexities of today’s threat environment. Modern security solutions not only need to be able to address attacks effectively, but also do it in a way that does not add additional complexity to an organization’s security operations.
Another important consideration is to improve an organization’s resilience during a security incident, by effectively reducing a cyberattack’s ability to cause harm. Micro-segmentation is one strategy to isolate and confine security breaches within an organization, thereby minimizing harm and enabling recovery even during an ongoing cyberattack.
CybersecAsia: How should CISOs handling legacy systems containing old APIs protect their network?
PS: Theyfirst need to be able to gain much-needed visibility of all their deployed APIs, including legacy ones. These are important in helping to discover and prevent threats like shadow APIs, and supports their understanding of their overall API risk exposure.
Also, whether modern or legacy in nature, APIs need to be protected, especially during runtime. For example, identify and address the security posture of APIs that may contain vulnerabilities that are being actively exploited. Sophisticated API threats like logic abuse are also increasingly common. Development teams also need to be constantly trained in implementing APIs that are not misconfigured and continually tested for vulnerabilities as part of an overall risk management strategy.
CybersecAsia: How do you see the region’s awareness of API risks growing this year, amid different enforcement levels of data protection and compliance regulations?
PS: Businesses and public agencies can no longer ignore or downplay API data breaches and exposures. API adoption will continue to accelerate, and ways to attack them will continue to evolve. All organizations in the region will need to continuously re-assess their security posture and be able to effectively address the ever changing threat landscape.
RK: Especially in sectors such as financial services, organizations have been starting to understand the growing level of threats targeting APIs, as well as becoming aware of the importance of extending data protection policies to APIs. Other standards like PCI DSS are also expected to include APIs in the regulation. Therefore, organizations need to increase their ability to discover and protect APIs against unauthorized data exposures.
In maintaining strict compliance with data protection laws, organizations need to conduct regular audits and assessments of automated processes to identify and rectify potential logic errors or weak points (from build time to runtime). Having robust security practices in place to protect automated systems from vulnerabilities and potential breaches will also be key.
CybersecAsia thanks the two respondents for sharing their views with readers.
