• About
  • Subscribe
  • Contact
Wednesday, May 7, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

ExecOpinion: APIs as new vectors of vulnerabilities

Allan Tan by Allan Tan
October 11, 2022
ExecOpinion: APIs as new vectors of vulnerabilities

ExecOpinion: APIs as new vectors of vulnerabilities

An Application Programming Interface (API) is the connective tissue of the digital ecosystem, It allows software applications to interact with each other. It is as much a part of modern software technology as microservices architectures.

The popularity of API use, however, has also spawned misuse and in some cases a failure to follow best practices. This has led to APIs becoming a new vulnerability vector.

Source: VMware 2022

According to the VMware Global Incident Response Threat Report 2022, 23% of respondents to the survey pointed to APIs as a new vector of attack. The top types of API attacks include data exposure (encountered by 42% of respondents in the past year), SQL and API injection attacks (37% and 34%, respectively), and distributed denial-of-service attacks (33%).

These findings suggest attackers are not only seeking to compromise API security as an end but are leveraging it to distribute additional, often destructive attacks, also known as progressive API attacks.

Rick McElroy

According to Rick McElroy, principal cybersecurity strategist at VMware, traditionally adversaries went after things like endpoints and servers and laptops and tried to fool users by getting to click on things or even hold them for ransom and steal their data.

“What we've seen over the last few years is a pivot towards the attackers going after APIs. Now, this is important because APIs underpin almost everything we do, from a technology perspective – from disaster recovery to datacentre orchestration to security instrumentation and automation as well.”

Rick McElroy

“It's all facilitated via APIs, hence the massive vulnerability,” he continued.

As an endpoint, does this not make APIs also a new vector to attack?

Rick McElroy: Absolutely. Much like other technology that is also under attack, we need to ensure that we have a good understanding of what APIs-based attacks look like.

To be on the path to improved security, organisations need to conduct regular API assessments and implement meticulous detection of API-based attacks which attempt to go after their infrastructure to carry out nefarious activities.

Lastly, organisations should be well equipped to be able to respond in real-time to such attacks.

Which API practices present the most acute areas of security risk? [BOLA, BFLA, excessive data exposure, etc)

Rick McElroy: I think one of the areas that we see in the cybersecurity industry being continually exploited is just a lack of authentication or strong rotation of cryptographic keys over those APIs. So, we've implemented APIs, which is fantastic.

However, the security that underpins though, is the ability for one machine to make a call to another machine to get data back or for some type of injection of data. Generally, the authentication around that isn't where it needs to be.

I think, going through your code repositories, and being able to scan them and try to understand the credentialing that occurs to make those debit API calls needs to be put in place.

How then can enterprises enhance their approach to API use while containing any potential threat that may come because of the use of API?

Rick McElroy: Just like any other area of technology, they need to consider that it's a program that needs to be managed. And that should start with the assessment phase, getting visibility into the types of API calls that are deployed to gain visibility into the custom code that security or developer teams have developed, which have APIs already enabled.

I’ve come across a lot of cases, wherein teams that are doing these API assessments have the code repositories scanned, and they have five versions of the same API, but only one is in use. So, it's crucial to fill out that attack surface a little bit as well as to the assessment processes.

Given that one of the rationales for using API is to enable faster time-to-market without altering core legacy systems, name three API security strategies that would improve API performance.

Rick McElroy: The first and foremost strategy I would suggest is for organisations to implement an API gateway which will allow you to authenticate traffic and provide other necessary functions such as monitoring, analytics, and alerts on how your APIs are being used. 

Secondarily, I would say you absolutely need a network component to look at specific behaviours on the network and what the adversaries are doing to attack these APIs.

And finally, I think some of the more forward-thinking technologies that are out there and the strategies around securing APIs are really doing attack simulations against them today, to move towards a place where they can be future-proofed.

I do like that model of continually assessing and doing adversary emulation against the APIs as well.

Briefly, the other threat vector is containers. What can and should be done to curtail threats arising from the use of containers?

Rick McElroy: I think there are a few misnomers that we see a lot when it comes to the security of containers such as legacy architecture servers that have been living for 10 years inside of a data centre.

I assure you that the adversaries have barely adapted to what we're doing with containers. Typically, we've seen them develop several custom remote access tools for the Linux platforms that enable content and allow organisations to be able to update, patch and understand the behaviours of those containers so that you can better prevent, detect, and respond to the challenges presented using containers.

In summary, what is your recommendation for CISOs/CIOs in their digital journey?

Rick McElroy: Well, number one, I would say this is where all security strategies should meet. I think it's incorrect and probably will yield little security fruit, to have a CIO dare make decisions that are disjoint, from what security can do.

But I think if we start to consider shared models and shared culture among teams and bring them together, security strategies can be delivered and help do things like heal itself, when you must patch it, to be able to provide better detections and among many things.

It really takes a combined effort to create collaborative cultures among the two groups. And for me, it really starts at the top, so, I think the CIO and CISOs should have a shared strategic plan and vision.

Related:  VMware introduces AI-powered advancements for hybrid workplaces
Tags: API securityApplication Programming InterfacesExecOpinionVMware
Allan Tan

Allan Tan

Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events. Previous Roles He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role. He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications. He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer. He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific. He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific. He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe