On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.
26 October 2021 – Cyber Security Coalition
API’s – new attack sweet spot
The threat landscape is in continuous turmoil, with new attack surfaces rapidly gaining popularity. If you’re into cloud security, security architecture, governance, secure application development or into cyber security in general as a CISO or other, you should check out this cyber talk on the new popular ‘kid on the block’: API security attacks.
Cyber criminals don’t neglect to study today’s innovations in our app driven world. So it’s little wonder that a company as Gartner predicts that by “2022, API abuse will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” In the Cyber Talk “API Security”, Roey Eliyahu, ceo and co-founder of Salt Security, explains about the dangers and possible mitigations.
API’s as a security risk
Application Programming Interfaces (API’s) allow applications to talk to each other, exchanging any type of data over any protocol. As a result, there is a danger for “data exfiltration, data modification and account take over,” dixit Roey Eliyahu. Today, information environments contain many more API’s (often 1.000 or more rather than a few), with many of those continuously in flux (rather than static) and carrying lots more sensitive data. Furthermore, API attacks are much more business logic oriented, and extended in time (‘low and slow’).
As a result, companies are confronted with tough questions: do you know all active API’s (read: no, as there is no/insufficient/outdated documentation) and what sensitive data do they expose?
Also, there is a wide variety of API attacks, to the extent that OWASP already lists an API Security Top 10. This talk covers two of them: ‘A1 Broken object level authorization’ and ‘A3 Excessive data exposure’, illustrating how seemingly correct usage can yet be a form of abuse, as well as pointing out discovery issues.
What to do?
Clearly, discovery of all active API’s is indicated, preferably in an automated way as manual discovery won’t keep up with changes, and attacks are often very API specific. The ‘low and slow’-nature op API attacks also requires an extended scrutiny of the API’s in actual everyday use, as “you have to see the whole movie, not frame by frame.” According to Roey Eliyahu, web application firewalls and API gateways do not cover all the security needs of API’s ‘(see comparative table in the talk), with Gartner as a result creating a new specific API security related product category. These products must connect to all kinds of API-connected elements in your stack; monitor API changes; check behavioural attributes (what is ‘normal’) and stop attacks. Furthermore, these products must be complementary to other security investments, for integration in a multi-layer defence.
As is often the case, this is an ‘if you need it, you need it badly’-type of talk, even as an introduction as this is probably still a less known problem. Because not staying abreast with emerging but fast growing threats is not an option.
More on the OWASP API Security Project
(including API Security Top 10:2019 list)
Other blog posts
The second webinar of the Privacy Focus Group on the subject of ‘Artificial Intelligence’ (AI) tackles a major challenge: how to reconcile the use of AI with the demands of GDPR, particularly regarding data protection? It is still very much unknown territory for developers, users and privacy protection officers. This webinar helps you find your way!
This webinar organized by the Privacy Focus Group in cooperation with KU Leuven helps you gain a much-needed insight in the hot topic of Artificial Intelligence (AI). It gives an overview of the different types of AI applications and points to the ethical and societal implications of the use of such applications. It is a splendid starting point to delve deeper into the fascinating world of AI.
During the last Privacy Focus Group meeting, the VBO-FEB explained the functioning and the advantages of the interactive DPO Connect platform which was set up by the Data Protection Authority (DPA) in collaboration with DPO-Pro and the Vrije Universiteit Brussels (VUB) with the support of the European Commission.
During the first in-person meeting since the Corona pandemic broke out, the Privacy Focus Group engaged into a lively discussion on the effectiveness and strategic role of the DPO and addressed the question whether one single person can wear the hat of both CISO and DPO.