expert
OPINION
In the face of escalating cyberthreats worldwide , safeguarding against malicious actors has become a central facet of a CIO ’ s role .
unauthorised system access and lateral movement within an organisation ’ s network .
Challenges for CIOs posed by APIs
The challenge for CIOs lies in striking a delicate balance between driving rapid innovation and progress while ensuring the security of the business . API security stands out as a crucial intersection point . And while cloud security is widely recognised as essential in today ’ s environments , and AI security has been a major topic of concern in recent months , they are also intricately linked to API security , making it not only a security team concern but a broader business problem and , consequently , a CIO ’ s problem .
In fact , the latest Salt Security State of API Security report indicated that nearly half of businesses believe that API security has become a C-level discussion over the past year .
The adoption of API first methodologies has resulted in a proliferation of APIs throughout an organisation ’ s infrastructure . And those APIs , by their very nature , require constant and regular updating . With every new API added or existing API update comes the possibility of an unexpected outcome or potential misconfiguration .
As we know , security teams are already overstretched , understaffed and lacking sufficient budgets , therefore the prospect of securing this sprawling and always changing potential attack surface may seem daunting .
Given the challenges and their importance to the business , it is of no surprise that the eyes of many C-suites have turned towards APIs as a business issue that can not be ignored . In fact , recent findings indicate that highly regulated industries such as technology , financial services and energy / utilities companies are where execs are keeping the closest watch .
Unfortunately , API attackers don ’ t necessarily even need to be clever with their attacks ; APIs are very manipulable and susceptive to business logic attacks , which provide a low barrier to breach for threat actors . Take for example the Experian incident that allowed unauthorised access to credit scores and other highly sensitive information just by entering easily obtained personal information . In addition to business logic flaws , attackers are well aware that many organisations are struggling to govern the security posture of their always evolving API landscape , resulting in misconfigurations that an attacker can easily take advantage of .
Furthermore , in the case of API protection , traditional web security tools such as WAFs and specialised API lifecycle technologies , such as API gateways , were designed for different purposes , and lack the capabilities required to detect and defend against the majority of API attacks that are occurring today , such as a business logic attack . Coupled with an increase in attackers – which have risen by over 400 % in recent time – it ’ s no surprise that existing infrastructure investments are inadequate to keep up .
Fortifying defences against API attacks
To fortify the security posture of APIs , CIOs can take several strategic initiatives in collaboration with their security teams . For instance , asset management , a foundational IT best practice , is critical for API security . CIOs need to establish a robust governance strategy for APIs , ensuring a comprehensive inventory of all APIs within their infrastructures , including their purpose , the classification of data associated with their use , the business area / owners they are related to , and the overall security posture of every endpoint .
42 WWW . INTELLIGENTCISO . COM