Deep Dive: Why Can't We Solve API Security?
CISOs, Analysts Explore Solutions to Visibility, Governance and Incident ResponseAPIs are the connections that make digital business happen. Companies on average rely on more than 15,000 APIs to perform transactions and access data, but these interfaces also pose security risks. In this "Deep Dive" special report, ISMG's Anna Delaney explore how security leaders are overcoming problems such as API discovery, testing, governance and incident response.
See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security
"Everything is API-based, and there are some great advantages and great disadvantages," said Rick Doten, vice president and CISO at Centene Corp., which provides managed care services to the healthcare industry. "The disadvantages, of courses, are the surface area expansion, and you're dealing with external and internal APIs. But the advantage is: It's a lot easier to get telemetry from everything because everything is API-based."
API security poses unique challenges because inventorying and securing APIs requires higher levels of collaboration with the software development team and an understanding of both traditional security controls and potential flaws in business logic that can be exploited.
"Threat actors have understood that they don't need to breach systems at all. They can just siphon off data - right through vulnerable APIs," said Aseem Rastogi, global head of security research at Snowbit by Coralogix, who previously led security for a tech firm that built APIs.
The complexity of today's hybrid IT environments have reduced the visibility of API flaws, and this poses potential risks to operations too, said Dinis Cruz, CISO, OWASP project leader and founder of The Cyber Boardroom. "API security is not a security problem," Cruz said. "API security is an engineering problem."
In this "Deep Dive" report, Delaney spoke with experts and analysts about:
- The security risks posed by weak encryption, unauthorized access, malicious code injection, poor visibility and an emerging threat - insecure code written by generative AI tools;
- The strengths and weaknesses of the API security tools available today and the advancements needed in the area of testing;
- Strategies for improving API visibility and governance across the enterprise.
In This Episode
- Sandy Carielli is a principal analyst at Forrester advising security and risk professionals on application security, with an emphasis on the collaboration among security and risk, application development, operations and business teams.
- Doten is a cyber risk management thought leader with more than 30 years of experience in the IT industry, the last 25 focused specifically on cybersecurity. He has worked as both the CISO of a multinational company and a management consultant performing risk management and risk engineering to mature customer security and privacy programs. He is a member of the CyberEdBoard.
- Rastogi has more than 25 years of experience in all aspects of cybersecurity and compliance with deep experience in defining, building and scaling high-performance security teams and businesses. He has led IT and security programs at a variety of large organizations. He is a member of the CyberEdBoard.
- Cruz is a CISO and the founder of The Cyber Boardroom startup. He has more than 20 years of experience in security and software development and is focused on creating generative-AI powered teams and environments where engineering and security are enablers and accelerators for the business. He is a member of the CyberEdBoard.