APIs: The first-class citizens of business

Date:
Wed, 27 Oct 2021 10:15:15 +0000

Description:
The importance of having an explicit enterprise API management strategy plus an internal API program that puts that strategy into action.

FULL STORY ======================================================================

Application programming interfaces (APIs) are at the core of nearly every modern digital experience and their performance and cybersecurity are
critical for engaging customers and increasing revenue.

Whether they enable the delivery of mobile apps that enable consumers to monitor and personalize their exercise routines using an IoT connected device or allow car owners to track and share their in-vehicle driving behaviors
with an insurer, in return for reduced premiums, their impact is clear. About the author

Liad Bokovsky is the Senior Director of Solutions Engineering at Axway .

However, more frequent news stories about security vulnerabilities that
expose private data has brought the issue of API management into sharp focus. In many cases, simple failures to treat API security with respect have resulted in some significant data breaches affecting millions of users.

For example, earlier this year Peloton was under the spotlight for a vulnerability that allowed API requests to access profile information of Peloton users. This meant that anyone, anywhere could get access to the user information of all Peloton users. Not a good situation.

The underlying issue is that many companies still do not treat APIs as first-class citizens of the business. Part of the problem is that not every
IT professional has the experience to fully understand how APIs work, how to design them, and how to manage them securely. But with API attacks on the
rise and Gartner predicting that APIs will become the top attack vector by 2022, todays connected companies should have structures in place to make sure that API design, implementation, and management are done properly. The
anatomy of API vulnerabilities

Given this context, cybercriminals are increasingly on the lookout for potential API vulnerabilities. The list of security risks is diverse and
often starts with bad coding practices, where serious security risks are
built into the API from the outset, significantly increasing the likelihood
of their integrity being compromised.

This also falls under the general - and important - issue of accountability. The question of who is accountable for API security risks can prove difficult to resolve. Responsibility begins with the developer, who should be tasked with building an API that effectively addresses key vulnerabilities. But accountability doesnt end there and should also fall under the remit of whoever is utilizing the API, who should also consider whether additional API security measures should be included.

Another important issue is API classification. APIs can be deployed in
public, private and partner configurations, and organizations focused on consumer-oriented apps and/devices often classify their APIs as both public and private. This is because, unlike employees, external users dont access them via a private organizational intranet.

The problem here is that this approach can create a potential vulnerability
if tech teams work on the basis that a private API doesnt require security on a par with a public implementation. In reality, restricting API access to authenticated users simply isnt sufficient, and there are examples of organizations leaving their private API exposed and vulnerable and then being put in the difficult position of having to identify and fix a serious
security and privacy issue.

In the Peloton case, for example, the impact of this approach for a business thats heavily reliant on its consumer-facing app, was that new users could create an account but then also retrieve profile details about other people, such as their name, location, gender, etc. The fact that users had set their profile account as private didnt matter - the API vulnerability offered another route to the data, with obvious privacy and data protection implications.

In situations such as this, instead of building the API to grant access to user data when certain conditions were satisfied, such as the provision of an authenticated user token, API code should be strengthened to prevent data being exposed. Adding insult to injury, the remediation process took over three months to complete, when building effective API security into the development process would have helped ensure the vulnerability couldnt have been exploited. Holistic approach

The list of challenges goes on, but suffice to say, organizations should take a holistic approach to API security and from design to delivery, are better placed to stay one step ahead of the cybercriminals who are proving increasingly adept at identifying and exploiting vulnerabilities. Without
more widespread emphasis on risks and mitigation efforts, were likely to see many more cases of API-related data and privacy breaches that many would
argue should be avoidable.

As API implementation grows to meet the needs of organizations on the road to digital transformation, so does the interest of cybercriminals looking to exploit potential vulnerabilities. Key to minimizing the risk is making sure that end-to-end API design, implementation and management meets the need of app-based services that are a core part of todays digital first consumer experiences. By adopting a mindset where APIs are treated as first class citizens of the business, IT and security teams can have much greater confidence in their security strategy.

To keep online connections private and secure, check out our featured best business VPN .



======================================================================
Link to news story: https://www.techradar.com/news/apis-the-first-class-citizens-of-business/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)