Gartner accurately predicted that the API would become the most-frequent attack vector by 2022, leading to increased data breaches and ransomware attacks. Now that we're here, what does that mean for application and security teams facing these threats?
Enterprises are dependent on the use of APIs now more than ever. In 2021, we saw the growth of APIs continue unabated as organizations continued to operate in a cloud-hybrid environment and leverage SaaS applications in greater numbers.
In 2022, we'll naturally see the continued use of such API-related security tools, API catalogs, and API behavior-monitoring tools. We anticipate they will continue to grow throughout the organization, continuously improving on their ability to detect and prevent attacks.
However, these elements will present some challenges application and security leaders should keep an eye out for.
7 API Security Predictions You Need To Know For 2022
Perimeter Tools
Perimeter tools and edge monitoring solutions have been at the core of many OpSec/AppSec environments for the past year. While largely effective at preventing attacks, we anticipate that perimeter tools will stop being the ultimate gold standard of API security as new technologies come into vogue and as organizations begin incorporating remediation programs to boost their security levels.
API Catalogs
API Catalogs are a critical component of an API security strategy. They allow organizations to collect information about APIs, API quality and API usage in a central location. As APIs evolve and the number of APIs grow, maintaining this catalog can become very difficult. We anticipate that this difficulty will continue deep into 2022 as constant change, coupled with the lack of the tools and skills, will place a tremendous burden on software development teams. We predict that these teams will underestimate the effort involved to maintain catalogs at the level required.
However, there is a silver-lining. If a robust API catalog can be maintained, the organization can benefit from greater insight into the scope and scale of API-related cybersecurity risk. The organization can then apply appropriate resources to address problems. The insight generated from this effort will be especially useful to board members and shareholders whose interest in cybersecurity preparedness has recently skyrocketed. Additionally, a robust API Catalog strategy are proven incredibly useful in helping to prevent duplicate API development efforts.
API Monitoring Tools
Given the amount of data that they collect, API Monitoring Tools often return queries with abnormally long run-times, lengthening the decision-making process and damaging productivity. We anticipate that more organizations will seek to avoid this problem through the adoption of modern analytics platforms that only source the data that's needed and blend it with other relevant data sources, simultaneously reducing query run-times and providing more helpful information and context when query results are returned.
Common Controls
Common controls are security controls used throughout organizations’ information systems. These security controls typically can be inherited as part of the organizations’ technology stack and are applied to multiple systems within the organization (NIST’s SP 800-53 provides a good overview).
We see common controls utilized today with mainstream security solutions such as laptop encryption, network firewalls, and WAFs. New employees expect that their laptops will have some built-in encryption as part of the standard security. App developers expect that their applications will be protected behind a network firewall and a WAF. These are common controls.
While some aspects of the API security can be addressed with existing common controls (network and web app controls), these common controls still leave large security gaps that leave the API and the business potentially vulnerable to attack. Given the surge in API growth, both in numbers and volume of traffic, security teams are struggling to find ways to efficiently observe and adequately address the gaps. This is where other technologies and processes will need to step in and cover bases where and as needed. Again, modern analytics platforms are stepping up to the plate.
The Great Unveiling
What's the difference between the Log4j vulnerability and many of the other headlines we've read over the past year? Fortunately, the Log4j vulnerability was discovered after only 9 days.
As we know, many of the largest breaches over the past few years were actually breached well before they were detected. The SolarWinds breach took nearly a year before any indicators of compromise (IoCs) were discovered.
IBM’s 2021 report details that the average time to detect and contain breaches has continued to increase for the past four years. The average number of days to detect and contain a breach currently stands at 287 days (212 to detect, 75 to contain).
The average number of days to detect and contain a breach is 287 days (212 to detect, 75 to contain).
Assuming hackers didn’t take any time off in 2021, the majority of API related breaches that are likely to be discovered in 2022 will have been there since the previous year.
What does this mean from a business perspective?
Given the lengthy amount of time between breach discoveries, and given the gaps that still exist in API Security today despite the use of API tools, we predict that a slew of severe breaches will be discovered in 2022 that will have targeted more data and exposed more consumers and businesses more dangerously than ever before.
After all, one of the most catastrophic and damning breaches JUST happened on our watch (Log4j) and 2021 was a record-breaking year for data breaches as is. According to Identity Theft Resource Center (ITRC), the total number of data breaches through September 30, 2021 exceeded the total number of events in 2020 by 17%.
We absolutely smashed our previous records, and there's no data to indicate that things will trend differently in 2022 - we're still on the same projections, if not worse, than before.
As a result, we anticipate that APIs (more specifically - the remediation of API vulnerabilities) will elevate from a technical problem to a business-critical one in 2022 as C-Suite executives are alerted to financial losses, loss of productivity, reputation damage, legal liability, and business continuity problems as a result of exposed data.
We anticipate the remediation of API vulnerabilities will elevate from a technical problem to a business-critical one in 2022 as C-Suite executives are alerted to financial losses, loss of productivity, reputation damage, legal liability, and business continuity problems as a result of exposed data via vulnerable APIs.
We anticipate Boards and C-Suites will issue directives to better combat these threats, encouraging task forces and command and control centers that centralize information and combine people, process, and technology efforts to properly remediate outstanding vulnerabilities, better manage risk, and prevent future attacks.
Resources and Skillsets
What's the difference between large entities like Microsoft and Homeland Security that experienced data breaches, and smaller businesses who experienced them the same?
The larger entities have some of the most skilled cybersecurity professionals in the world - and yet they still were breached. Most organizations don’t have the staff skill set nor the technology that these organizations have, so there is a high probability that an attack, even one not as sophisticated as the SolarWinds attack, could go noticed for extremely long periods of time, even years.
In 2022, we anticipate the growth of API-specific services to meet the demand for resources and skillsets in the cybersecurity space that organizations currently lack internally. We predict that businesses will seek out more expert third-parties to help address specific critical API-related issues.
"While API security vendors have an edge in offering API protection technology today, they will face increasing competition from more comprehensive offerings... We believe winners in API security will be companies capable of expanding their API security efforts to something more broad."
- Umesh Padval, Venture Partner, Thomvest Ventures
The Heart of the Problem
Despite API security tools, perimeter protection tools, API catalogs, API behavior tracking tools, API command controls, skilled developers and teams, OWASP guides, best practices blog posts, webinars, keynotes, summits, conferences - despite it all, there are still significant gaps and issues to address when it comes to API Security.
At the heart of all these problems are API vulnerabilities themselves, and security leaders would do well to remember why all these other actions are being taken in the first place. Remediation is wrongfully being reduced down to automated tickets tacked onto the end of backlogs. As long as remediation is overlooked in this fashion, the longer that actual API vulnerabilities will persist, and the longer and greater the organization will be plagued with a slew of compounding issues that they could proactively avoid.
We anticipate that API Remediation will be given the attention it demands as awareness builds around the capabilities and possibilities surrounding what API Remediation can - and should look like - in 2022. To get a clearer picture of what good API Remediation looks like in 2022, download our Ultimate Guide to API Remediation or schedule a discovery call to see whether ReactFirst would be the right fit for your organization.
Introducing ReactFirst: Security for the new API Economy and the pace of modern business. ReactFirst is an award-winning, comprehensive API threat remediation solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities. ReactFirst helps bring together a combination of capabilities - a program, technology, and team of experts - to appropriately address the risk caused by API vulnerabilities. Instead of merely identifying problems, it tracks the organization's ability to resolve them, providing a command and control structure that delivers the necessary insights and accountability to see each vulnerability move through the remediation process.
This program is backed by executive sponsorship, supported by cross-industry experts, and enabled by state-of-the-art technology. ReactFirst works as the perfect accompaniment to your existing API strategy, providing the transparency, oversight, and control into the API Remediation process your organization needs as the risk around API vulnerabilities grows. Talk to us to see if the ReactFirst is a fit for you, and whether it help boost your API Remediation efforts into one you can trust: https://www.reactfirst.io/contact