It’s that time of year where we review the past year with an eye towards the coming year. With that in mind, I wanted to look back at our 2021 predictions while looking forward to the new year. Last year, we predicted that API security would mature. We were somewhat correct here, but not in the manner we hoped. The maturity was in the form of start-ups popping out of the woodwork, and traditional security companies pivoting to focus on APIs. This validates our vision but also causes confusion. When we predicted increased maturity, we were hoping it would translate into fewer incidents. It didn’t.
We also said retail sites would be prime targets for attackers. Indeed they were, but the volume was much higher than we had ever imagined – a 400% increase to 2 billion API transactions per day. Commercialized bot services made it easy for anyone to use a bot to fulfill their shopping list. Lastly, we said that retailers would (finally) stand up to bots and force a day of reckoning. We missed this one completely. Bots continue to dominate high-demand sales, forcing retailers to implement in-person only sales or paid membership programs to ensure legitimate buyers, not resellers win the deal.
What’s in Store for 2022?
1. APIs Become the #1 Attack Vector: This is already happening as we are seeing 80% of the transactions we analyze are across an API. But there is still room for it to get worse. Here’s why.
- API development is widely distributed in most organizations and more often than not, there is little training for secure API coding, and guidelines on a formalized API publication process are often non-existent.
- The use of containers and no-code application development continues to explode and both are is heavily dependent on APIs.
- API specification frameworks and documentation are a move in the right direction, but when configured to be publicly accessible, they provide threat actors with an API attack roadmap.
Without fundamental advancements in secure coding practices combined with the development and adherence to a publication process, shadow APIs, those with weak authentication, and those exposing sensitive data will continue to be discovered and exploited in 2022.
2. Specification Frameworks Will Default to Private: The good news is that organizations are adopting API specification frameworks, albeit a bit slowly, as a means of improving security, code quality, and consistency. The bad news is that there are now thousands of API specifications exposed to the public, giving threat actors a cookbook on how they can attack you. You can configure framework tools to be secure, but it would be better if the suppliers made “Private” the default, much Amazon did for S3 a few years back.
3. Bots Will Exacerbate the Digital Divide: The continued commercialization of shopping bots will lead to widespread usage beyond the classic hype sales (e.g., sneakers, consoles, video cards, high-end merchandise) into areas of basic necessities (e.g., cleaning supplies, toilet paper, baking supplies). We saw snippets of this type of activity in the early days of the pandemic-induced lockdown. Since then, Bot-as-a-Service has made it easy for someone to subscribe to a bot and make an everyday purchase. Those who know where to look, how the technology works, and the wherewithal to subscribe will be able to execute a purchase ahead of the “legitimate” buyers.
4. API Security and Bot Management Will Converge: The vast majority of the startups in the API security market are approaching the API security challenge by focusing on discovery and testing tools that help development teams find and remediate API coding errors before they are published. In many ways, they are augmenting the security focus found in the shift left methodology. The increased focus on finding flaws before publication is working. The key (missing) requirement in most of these API security offerings is a strong protection posture that allows a customer to see an attack in real-time, then natively prevent it using default policies. At the same time, traditional application security vendors that provide bot mitigation functionality as a WAF add-on are trying to respond to the dramatic shift towards APIs. They are now enhancing their web application security solutions to focus more on APIs – discovery, governance, and compliance. The challenge these vendors face is how to collect API telemetry with their client-based approach. We believe that real-time, clientless API visibility and protection requirement, combined with the DevOps focus on continually improving quality is what will drive the convergence of the two markets.
It is our hope that #2 will happen in short order – frameworks are helping organizations get a handle on their API development, which in turn is improving quality and security. At the same time, we hope that #1 & #3 are horribly wrong – there are many challenges security professionals face every day, we do not need to add more to our plates. As for #4, we believe we are well suited to address the convergence with our existing platform.
Never miss an update!