Application security: Countering new attack surfaces through APIs. Understanding the various threat vectors is essential for companies to be able to adequately protect applications.
Applications can be found today in a wide variety of IT environments, from data centers to smartphones, and their number is increasing inexorably. Increased remote work has also meant that more and more applications have to be outsourced to the cloud. This has increased potential risks with regard to application security. Understanding the various threat vectors is therefore essential for companies to be able to adequately protect their applications.
Bots as a source of threat
Bots have undoubtedly been a source of threats to applications for a long time and are now at the top of the list of successful attack vectors. Also, with human error causing many violations, it is more important than ever to ensure that no defensive gaps are left open. However, security teams shouldn't just focus on bots. Zero-day threats, web application vulnerabilities, the software supply chain, and application programming interfaces (APIs) are also relevant areas that security professionals should pay just as much attention to.
Recent research from Barracuda shows that of 750 global companies, 72 percent have suffered at least one application vulnerability breach in the past year, with nearly 40 percent reporting more than one breach.
New attack surfaces for applications through APIs
More and more companies are moving to "API-first" development, as APIs significantly accelerate the development of new application versions. However, expanding the visibility of these applications creates a whole new target.
An example: In the past, cashing a check required a bank several days to check the original account and the relevant details before the money finally arrived in the recipient's account. Today, money is often transferred by bank transfer using an application on a smartphone. In order to carry out this one transaction, a large amount of IT is necessary in the background and it has to be protected.
Verification at the B2B endpoints
There are no humans involved in the verification of the B2B endpoints, everything is handled through APIs, which are a potential target for attack. Because APIs inherently expose the application logic, user credentials and tokens, as well as all kinds of personal information, all at cloud speed and from the user's smartphone. An API-based application is much more exposed than a conventional web-based application because it is used deliberately to enable direct access to sensitive data.
For example, when users scroll through Facebook or check the live ticker for their stock portfolio in their bank app, their phones interact with the servers in their data centers via APIs. As you scroll, these APIs are constantly authenticating themselves using large alphanumeric strings, and this traffic needs to be inspected and secured in real time. Here, as in the check example mentioned above, you cannot wait until a contact person comes back from the lunch break to check whether the request is legitimate.
Protection for applications and APIs
Businesses are increasingly turning to APIs, but are struggling to keep up with security. Cyber criminals are ready with bots to hack unsecured APIs, 2018/75. If an attack is successful, hackers have access to customer data or employee information, which they can compromise at will. There are many examples of test APIs being used with direct access to production data without any security precautions (such as Facebook's XNUMX security breach). Even if protecting APIs is a challenge, an encouraging result from the Barracuda study shows that XNUMX percent of the companies surveyed are aware of the risks.
Defending APIs is one of the most important security considerations today. Organizations should therefore consider a comprehensive, scalable, and easy-to-implement platform to protect their applications wherever they are. A web application firewall (WAF) with Active Threat Intelligence is the best manageable solution to protect applications and thus also APIs from the threats mentioned above. Defending against zero-day threats, bots, DDoS attacks, compromising the supply chain, credential stuffing, as well as implementing client-side security and protecting against malicious insiders should be on the agenda for companies in order to avoid security breaches caused by application vulnerabilities.
More at Barracuda.com[starboxid=5]
Matching articles on the topic