Remember meForgot password?
    Log in with Twitter

article imageQ&A: Poorly written API presents new business risks Special

By Tim Sandle     Jan 14, 2021 in Technology
Businesses need to be increasingly careful about exposure of an organization's digital services and assets, especially given the current times of the major health crisis. Hackers are looking for new ways to cause service outages.
Due to COVID-19 and the U.S. presidential election, 2020 created a perfect storm for hackers to take advantage of. The year also saw growth in the API economy as consumers shifted toward primarily using online apps for managing finances, healthcare and other important transactions on mobile devices. Meanwhile, consumers became more aware of how companies are collecting and storing their data when using these types of apps.
What else can be expected in terms of enterprise technology trends? Nathanael Coffing, CSO of Cloudentity, explains to Digital Journal that we should expect identity access and management to feature heavily, along with other major cybersecurity factors.
Digital Journal: How important will identity access and management become?
Nathanael Coffing: Identity Access and Management (IAM) and security are no longer separate facets of an organization and must be treated holistically. According to 2019 data from the OWASP Foundation, seven out of the top 10 security vulnerabilities for APIs are related to identity. This shows that for the technology industry at large, the era of managing identity outside of cybersecurity is over. API security is a foundational element in today’s app-driven world and all of them need stronger more granular methods of transactional authorization.
The risk is palpable as we’ve seen from the dozens of API breaches this, if an API is poorly written, Object or function level authorization issues provide programmatic data leakage to an attacker. An example of this going wrong is Cambridge Analytica, where Facebook’s API exposed raw data from more than 87 million Facebook users which was then exploited by the political consulting firm. If organizations don't take control of their API security, we will see more large-scale data breaches in 2021.
DJ: What can we expect from the API economy?
Coffing: In the last few years, APIs have been elevated from a development technique to a business model driver and boardroom consideration. Essentially, APIs enable companies to more easily build products and exchange data with internal, partner and customer services. According to recent statistics, Salesforce generates half of its revenue through its APIs, while Expedia reportedly derives a staggering 90 percent of revenue from APIs. In 2020, the API economy boomed and in 2021, we will see an explosion of new applications as a result.
Enterprises thrive on data and APIs provide a key enabler for reusing, sharing and monetizing those APIs; extending the reach of existing services or providing new revenue streams. Therefore, a growing number of large enterprises are building new services that expose legacy data stores allowing developers to use this data to create new APIs to drive new business initiatives.
However, along with the rapid growth of API-centric services, there are more risks of APIs having vulnerabilities in their code. APIs should be treated as products and potential security flaws must be addressed at the API-level, ideally in the development stages.
DJ: Do you think consent control will become more rigorous?
Coffing: As we’ve seen with popular cloud document-sharing services like Google Docs and Box, API-centric services are relied on every day for seamlessly sharing data and being able to control who can view and edit certain files. Privacy is at the core of these open-data platforms, and authorization and consent are what ensures privacy is maintained. With modern API-centric services, consent has shifted the consumer mindset from “what data can I know about this app” to “what data can this app know about me,” and “what data can this app share about me?”
Given consumer privacy regulations such as GDPR and CCPA, APIs must include consent controls that are much more rigorous to prevent sharing consumer data without proper consent. For example, third-party consumer apps like Spotify shouldn’t be able to post to someone’s Instagram page or other social media accounts unless they specifically allow it, even when these apps remain linked to one another.
DJ: What is the role of VPNs going forwards?
Coffing: With a large percentage of the workforce operating remotely for the foreseeable future, more APIs are being moved outside firewalls to maintain productivity from anywhere and ensure business continuity during the pandemic. Organizations relied heavily on VPNs (Virtual Private Networks) in 2020, but there are security and business risks associated with extending the edge.
Given the perimeter-centric ramifications associated with using a VPN, enterprises are moving toward IAM solutions to solve these issues around remote authorization and access. Identity has become the new perimeter for users and services and strong authentication is the front door. Both aspects are critical for remote workers to be able to securely transfer and access important proprietary data.
More about Api, Cybersecurity, business technology, VOC, Privacy
Latest News
Top News