By Brian Pereira, Editor-in-Chief, CISO MAG

“By 2023, the number of applications that will be born in the cloud (and data centers) will reach 3.7 billion. In 2018, it was 702 million,” said Keiichiro Nozaki, Senior Marketing Evangelist, APCJ at F5.

API surge in India due to application modernization

India leads globally as well as regionally, in terms of application modernization.

Per the survey, 82% of Indian respondents said they are adding a layer of APIs to enable modern user interfaces and/or participate in ecosystems, but not refactoring (modifying the application code itself). So, the API deployment is in “full bloom” in India.

The other options presented to the respondents were:

• Moving to the public cloud (lift and shift), but not modernizing.
• Refactoring – modifying the application code itself.
• Adding modern application components to enable modern user interfaces and/or participate in ecosystems but not refactoring.

Gaps in API security

In the context of Open API, the APIs are publicly accessible on public clouds. So, in this scenario, API security becomes crucial. However, there are gaps in API security.

93% of Indian respondents said they deployed an API gateway. However, only 74% said they deployed API security solutions. Globally, the gap is smaller: 68% of global respondents deployed API gateways and 59% had API security.

“People are aggressively moving to the API architectures that deploy API and do the control and traffic management through API calls. While they may not be prioritizing the idea of how to protect, how to secure those APIs as much as the global average respondents. It is truly great that people are aggressive moving to the API economy in India. However, it is important to ensure that your architecture and the deployment model cover the security portion of this API,” said Nozaki.

However, some believe that the gap for India is much larger than what is shown in the report.

“While the gap here is, you know 74 to 93, in my personal view the gap is much higher because security comes as a strap on, not as a DNA, to most of the Indian organizations,” said Dhananjay Ganjoo, Managing Director, India & SAARC at F5. “And a lot of them spend the money to develop the APP and then (they say) oops! let’s try to figure out how to secure the stack. And that’s what we’re facing in the market in India today. API security is no different —  it’s an afterthought.”

Conclusion

To close the gaps in API security, organizations need to move to a DevSecOps culture, which is commonly known as “shift left” in the development cycle. API developers need to think about security at the beginning of the development cycle. Security lapses could lead to leakage of application data, and exfiltration of customer PII could mar the reputation of companies that deliver digital services. So, API security becomes a crucial consideration in an API economy and for Digital India.

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years.

EC-Council’s CISO MAG brings to you a webinar on “The Current State of Application Security.” Register Now!

The post India Leaps Ahead in API Economy, Yet Lags in API Security: Report appeared first on CISO MAG | Cyber Security Magazine.

In a recent interaction with Augustin Kurian, Senior Feature Writer at CISO MAG, Yisrael Gross talks about API security, cloud security, and cyber hygiene among several other things.

API security is touted as the new frontier in cybercrime. In fact, by 2022, API abuses will be the most-frequent attack vector resulting in data breaches of enterprise web applications. Is the cybersecurity industry taking necessary precautions to safeguard enterprises from this imminent threat landscape?

According to Gartner, “With few exceptions, WAF technology has failed to deliver on the promise to automatically enforce a positive security model. Shorter application project cycles further impede the ability of security teams to implement and fine-tune WAF appliances.”

That is the main reason for the recent raising of a new cybersecurity vertical, named as “API Security.” API Security solutions are aimed to protect from same “classical” types of threats as used to be handled by WAFs, plus new types of emerging threats, such as BL attacks, which are specific to APIs. It should be done in a much more dynamic, automated, and precise manner than it used to be made by application security solutions.

It is said that current API solutions like content delivery networks and application delivery controllers, web application firewalls, identity and access management, and API gateways provide basic protections for API infrastructure against volumetric DDoS attacks, OWASP top ten vulnerabilities, session high jacking, and invalid input attacks, to name a few. But are they enough to stop threat actors determined to exploit vulnerabilities unique to each API? How can companies be a step ahead of hackers on this front?

This API “customized policy” referred to here is a major point in protecting APIs. The ability to set an automated, fully adapted policy to an API is the hurt of any API protection layer as otherwise, a major fraction of the request might be mistakenly considered as hostile or friendly, by their generic structure or content, while only the specific API policy may judge it correctly. For example, lets us assume a policy of a search API, which might get a broad content landscape including even operator types such as OR and AND. Using a general policy will make false such requests, while specific API policy should know how to differentiate these.

In reality, as “open banking” was initially regarded by many as a typical exercise in compliance, following the implementation of the Second Payments Services Directive (PSD2), banks are now shifting gears and going beyond the regulatory requirements by leveraging the benefits of “open APIs” to cater to customer needs and innovate open banking business models, and demand more of these type of solutions.

How has the API security threat landscape changed since the onset of COVID-19?

The threat landscape hasn’t changed much. However, the attack scale has grown dramatically for two main reasons. The number of API targets is growing fast now, developed and deployed at less order, and therefore are more vulnerable. On the other side, criminal motivations are skyrocketing as expected at such time. So, these two are facing each other in growing frequency as expected, since the beginning of this global situation.

As attacks become AI-based, there are higher chances that the Next-gen “Zero-day Payload” attacks can bypass even the most advanced solutions. What are the best practices that need to be adopted to avert this crisis?

The answer is, of course, said inside the question. There is a major need to adapt the AI protection shield, in all aspects of cybersecurity. It should be adaptive to the ever dynamically changing inside structure and outside threat nature. It should also be automated and precise, as for the growing gap of professional resources availability and the growing sophistication of AI-governed attack tactics.

Poor cloud security hygiene has been plaguing several organizations globally.  Nearly half of the global organizations on AWS workloads don’t have MFA enabled for users. It is an example of potential avenues for attackers to infiltrate an organization. What is your take on that? 

Definitely! It really presents the way of doing the job these days, cross-industry. Business usually comes before cybersecurity, which leaves a wide-open window to the attacks. And when you call them, they come, sometimes in seconds, as everyone who opens a new server on AWS may know.

We believe that there is no point in fighting this lost battle, as this is the way of life. Instead, we present a different approach that is adapted to this trend. We offer enterprises these days to deploy our API security solution, in front of your APIs and Applications, thereby giving them the best of breath protection that may be found in the market.

About the Author 

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

The post “API targets are growing fast, therefore the need for API security” appeared first on CISO MAG | Cyber Security Magazine.