There’s an old saying “you don’t know what you don’t know.” While there are many ways that we can go about filling the gaps in our knowledge – more reading and education, hands-on-investigations and experiment, or maybe even using AI and machine learning – in cyber security I’ve found that if you want to know what’s happening in your environment, you only have to ask about what’s happening in your neighbor’s. If your peers are getting hit with automated attacks against your APIs, you’re likely getting hit, too. If your competitors are dealing with fraud and ATO, it’s likely the hackers will be making similar attempts on your site, too.
A recent application security survey done in conjunction with Information Security Media Group (ISMG), found that 30% of respondents had no idea how many apps they had deployed. Whether there were too many to count, too many autonomous business groups with publishing permission, or they lacked visibility, it’s very likely that these applications lack the layered security needed to adequately defend against automated attacks. A third of the total respondents also said they had no idea how many attacks they’ve had on their web, mobile and API-based apps in the past year.
30% of respondents say they have too many apps deployed across their organization to count, or simply lack the visibility into how many apps they have deployed.
With more than half (57%) of applications running in the cloud, the survey group also seemed most concerned about protecting web applications (60%) over mobile or API-based apps. This focus on the web apps is perhaps not too surprising because those are the applications that most companies have visibility into. It’s also not surprising given that APIs are often viewed as plumbing for web and mobile apps as opposed to apps themselves. Whether using web application firewalls, CDN, Bot mitigation solutions, API security solutions, or a combination of all four, web applications are most likely to have these security solutions deployed to protect them. Security teams have the most information (and hence most concern) about the apps they’re protecting.
It’s concerning that APIs and mobile apps (which are most likely API-based) have significantly fewer protections than web apps. In fact, respondents reported using security solutions to protect APIs at a rate 50% less than web apps. Because APIs make it easier to execute automated attacks of all kinds allowing hackers to access more data and create more harm, faster, they need equal if not greater protection. In fact, the research done by the CQ Prime Threat Research Team found that 98% of ATO traffic originating from the Bulletproof Proxy networks targeted mobile APIs.
I empathize with security teams. The popularity of the cloud and DevOps practices has made it difficult if not nearly impossible for them to keep up with all the applications within an organization. They are constantly balancing the need to enforce security but not impact innovation and the speed of development. But security is typically outpaced and out-resourced by both their internal teams and hackers.
The best thing an organization can do is gain visibility into the applications and APIs that they have in use, automatically (not manually) and as frictionless as possible. Get an understanding about who’s using them, who has access to them and what are they connecting to. With those facts in hand, it’s easier to prioritize the work to fix vulnerabilities and then start building the control mechanisms and protections around those apps and APIs.
If you’re interested in learning more, join us for a live webinar on June 2 where we’ll discuss the findings of the ISMG application security survey and ways organizations are deploying protections from vulnerabilities and attacks.