Source: pixabay
If you’re one of those developers who are constantly worried about your API security, you’re not alone. It turns out insecure interfaces and APIs are among the top threats to cloud computing as ranked by a recently published report from the Cloud Security Alliance (CSA).
The report titled, “Top Cloud Threats to Cloud Computing – Pandemic Eleven,” is a survey of more than 700 experts on security issues in the cloud industry. It revealed changes taking place in the community in terms of what security issues are seen as concerning. Based on respondents’ answers, traditional cloud security concerns such as CSP data loss, denial of service, shared technology vulnerabilities, and system vulnerabilities were rated very low and were no longer considered in the report. The low ratings were attributed to the confidence and apparent trust of clients in the cloud infrastructure.
The focus of security efforts has now shifted to configuration and authentication. These include identity and access management, configuration management, cryptography, coding practices, and strategic cloud direction.
Here are the top 11 concerns in order of significance:
- Insufficient identity, credential, access and key management
- Insecure interfaces and APIs
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insecure software development
- Unsecure third-party resources
- System vulnerabilities
- Accidental cloud data disclosure
- Misconfiguration and exploitation of serverless and container workloads
- Organized crime/hackers/APT
- Cloud storage data exfiltration
Jon-Michael C. Brook, co-chair of the Top Threats Working Group and one of the paper’s lead authors said, “Collectively, these security issues are a call to action for developing and enhancing cloud security awareness, configuration, and identity management. As cloud business models and security tactics evolve, there is an even greater need to address security issues that are situated higher up the technology stack and are the result of senior management decisions.”
Weighing the Risks of Open APIs
Organizations are adopting APIs for the end goals of agility and connectivity. But these benefits don’t come without risks. The same with SaaS misconfigurations that occur due to lack of visibility and too many departments with privileged access, APIs and microservices are also vulnerable to misconfiguration, inappropriate authorization, and poor coding practices.
Moreover, as more organizations implement multiple SaaS products and customize them to serve their requirements, it becomes harder for developers to regularly monitor, manage, and secure their overall API portfolio due to their rapid adoption. Oversights can leave interfaces open to attacks. Some of the most common circumstances of compromised interfaces that can lead to malicious activities include unauthenticated endpoints, disabled logging or monitoring, and disabled security controls. Unsecured APIs can lead to unintended exposure of sensitive data or data breaches that enable hackers to conduct exfiltration, deletion, and modification.
With that said, Open APIs do provide uncontested business and user benefits that we can’t just throw out the window. They are crucial for integration and data sharing between apps and IT systems for efficient workflows and delivery of services. SaaS vendors who want to offer open APIs will, therefore, need to pour more resources into providing regular updates and ensuring the security of their interfaces. With so many versions, access points, and errors that need to be monitored, doing so effectively will not be possible using manual methods. This is where automation and other technologies come into play. Developers need to employ these advanced tools that can continuously monitor anomalous API communication as part of their SaaS security strategy.
Why is FinancesOnline free?
Leave a comment!