In 1999, Bruce Schneir wrote, “complexity is the worst enemy of security.” Today, I’d argue that speed may be overtaking that top spot or coming darned close. There were two stories published recently about security and privacy issues arising out of apps deployed too quickly.
These kinds of stories are nothing new. Four years ago, cloud vulnerabilities were a reoccurring theme. Often in those cases, developers new to working and securing the cloud resources would inadvertently leave AWS S3 buckets open or ports exposed as they deployed new applications and features without security oversight.
Over time, after many public breaches, and countless news articles, cloud service providers started building in more guardrails so organizations could avoid those mistakes. Also, more tools came to market, providing security teams with broad visibility into the risk posture of their organizations’ cloud environments.
Fast-forward to 2020, and COVID-19 is quickly changing how we work, shop, dine, learn, entertain, and seek medical attention—really all parts of our lives. We’ve all likely encountered some new app or feature that didn’t exist in February, from new food or grocery ordering apps to contact tracing apps and unemployment assistance apps.
This makes me wonder how many apps, rushed to market to accommodate the reality of shelter-in-place and quarantine, are leaving our data or the businesses exposed?
It’s of particular concern when those apps leverage easy-to-build and easy-to-consume APIs to speed development further. When secured, these APIs are a smart way to interconnect endpoints (and systems) to pass data and deliver critical features and functionality. But, when left unprotected or misconfigured, they can open the flood gates, giving hackers access to data and making it easier to wreak havoc and commit fraud. Targeting the API instead of scripting a form fill allows a bad actor to leverage the same benefits of ease of use, efficiency, and flexibility that APIs bring to the development community.
Many enterprises are rapidly moving towards consolidating all their business logic behind APIs, where the web and mobile applications are just user-interface shims around those APIs. This rapid movement, as highlighted with several examples above, exposes new vulnerabilities, which are waiting to be exploited.
So, with guardrails in place (and hopefully you’re using them), it’s time for organizations to turn their attention to APIs. You can start by asking some simple, but often hard to answer questions:
- Do you know all the APIs in use across your organization, including shadow APIs?
- Does security have the ability to assess API risk across both cloud and on-premises environments?
- Can you protect your APIs from automated attacks and malicious activity?
- Have the APIs drifted from their original specification and has that increased your risk?
- Are the APIs accidentally, even in the form of error responses, leaking sensitive information?
If you’d like some help devising your organization’s API security program, we’d be glad to help you. And, stay tuned, because we’ll be providing new tools to help you answer these questions soon. Meanwhile, I urge everyone who quickly published apps in response to the COVID-19 pandemic to do a security review.
Like the virus, you may be asymptomatic today, but that doesn’t mean you’re not vulnerable.