Bottom Line Up-Front
Almost everyone has integrated API's with their web-facing applications. And if organization's web applications are the doors that open to the highly sought-after user experience, then API's (application programming interfaces) are the hinges that they swing on. But what happens when those hinges don't all swing to code?
What does an API really do anyway?
Picture this: you're hungry and you need someone (a runner) to go retrieve food on your behalf from anywhere you choose.
In this example you would be the organization's web-application, the runner is the API, and the food is your information. API's essentially are 3rd-party runners that retrieve information on behalf of web-applications. They assist in performing functions like profile-build outs, sending emails, providing banking information, and identifying user location.
Sounds great so far, right? Well, here is the thing; as API's continue to perform more and more critical business services, the graver and deeper the security risks become not only to the organization, but also to its customers, clients, and partners.
Cyberattacks involving API's as vectors began appearing on OWASP's (The Open Web Application Security Project) top ten list back in 2018. These attacks which involved data breaches and other security incidents featured high profile names like, T-Mobile, McDonald's, Salesforce, Instagram, Panera, and Venmo.
Personally identifiable information (PII) exposed in plain-text during these breaches and security incidents included:
Date of Birth
Debit/Credit Card information
API-based attacks by 2022 (just two years from now) "will become the most common form of attacks seen by security teams. Additionally, API's, as opposed to user-interfaces will account for at least 90% of the attack surface by 2021 - (Source: Gartner). With a majority of organizations (particularly those in the healthcare community) citing major concerns about the security of the web-application ecosystem, these three points should cause us all collective pause:
API- security is routinely implemented differently than web-application security.
API-security lags far behind other areas on the IT to-do list.
At least 66% of organizations rely on API's to deliver critical business services.
Where do we go from here?
First things first, you cannot protect what you're unable to see. That means that if you are running point on systems security, you need to know how many API's you rely on and for what. Secondly, you need a plan to credibly manage your API's. And lastly, if that plan does not include continuous monitoring, then we essentially are back at square one.
If you're new to cybersecurity, or just overwhelmed at this point by all that it involves, NMSG's got you covered. Our Cyber Risk Management solution will:
A) Posture your security architecture for success by identifying and remediating mission-critical API-related threats.
B) Develop a security plan that delivers a distributed, organization-wide defense strategy.
C) Maintain a secure operating environment with leading, industry-insight and awareness training.
Contact us today, and we'll get you squared away.