As application architectures become more cloud-native and based on microservices, Application Programming Interfaces (APIs) have become critical to securing your apps as their primary communication channels. Simultaneously, the increase in complexity has made it harder to know what is going on within the application environment and in between those apps (which are likely to be interconnected through APIs) — meaning a broader attack surface but decreasing visibility. Both developers and security professionals need unprecedented API visibility and protection intelligence to secure apps and their APIs against the increasingly sophisticated threats and vulnerabilities. EC-Council and CISO MAG recently hosted a virtual panel discussion titled “API Security Outlook – A guide to API Security in a Digitally Transformed World” with a panel of experts comprising of Inon Shkedy, Head of Security Research, Traceable; Nikesh Dubey, CISO – Infosec & GRC, AGC Networks; and Nicole Darren Ford, VP & CISO, Carrier.
Inon Shkedy spearheaded the discussion with his observations on the need for API security adoption. He opined that APIs are the base case building blocks and the security of APIs must be clearly understood. API breaches are making the headlines every day. Since APIs allow businesses to put data to use, multi-billion-dollar companies become tantalizing targets. What many people fail to understand is that APIs are one of the favorite entry points for cybercriminals since they appear attractive and lucrative for threat actors.
Shkedy has over eight years of experience in application security. He currently provides security consultation to Silicon Valley startups and leads the research for Traceable AI in the field of API security.
Shkedy said, “The main problem is that APIs are exposed to other attack vectors. What organizations need to focus on is a proper asset management and better visibility of APIs and endpoints.”
Nikesh Dubey concurred and added, “We need to understand what are APIs. APIs have now become a lethal threat landscape. In fact, several major recent cyberattacks can be linked to API breaches. These include the Panera cyberattack, where nearly 37 million user accounts were compromised. Even during the SolarWinds attack, there is a theory that attributes the breach to the API breach of VMWare Workspace.”
A strong advocate of Security and GRC principals, Dubey serves as the CISO for AGC Networks (USA) and is leading AGC’s Security Advisory practice in North America.
Nicole Darden Ford explained the complications of managing APIs. According to her, “Managing APIs has become complicated. Often APIs are made like a one-way road only for one specific purpose, but if something goes wrong, it becomes useless. For organizations, it is important to understand all the APIs and technology around API gateways. Organizations have been investing in APIs and I think it is high time, they start investing in API security as well.”
Ford is an IT strategic leader with 20+ years of success spanning the federal government and corporate venues. In her current role as Vice President and Chief Information Security Officer for Carrier, Ford oversees global Information Security and Product (IoT) Cybersecurity.
The panelists concluded the discussion by stating the need for establishing best practices, adopting a layered security approach with APIs, and bettering API management. Shkedy stressed having a standardization for API security, zero-trust architecture, and the necessity of cyber hygiene. Dubey emphasized keeping track of the third parties and building a robust vendor relation, while Ford called attention to performing better due diligence and audit.
About CISO MAG
CISO MAG – a thought-leadership publication from EC-Council – provides vital stories, trends, interviews, and news from around the security world to help security leaders stay informed. The magazine includes comprehensive analysis, cutting-edge features, and contributions from thought leaders.
EC-Council, officially incorporated as the International Council of E-Commerce Consultants, was formed to create information security training and certification programs to help the very community our connected economy would rely on to save them from a devastating Cyberattack. EC-Council rapidly gained the support of top researchers and subject matter experts around the world and launched its first Information Security Program, the Certified Ethical Hacker. With this ever-growing team of subject matter experts and InfoSec researchers, EC-Council continued to build various standards, certifications, and training programs in the electronic commerce and information security space, becoming the largest cybersecurity certification body in the world. Learn more at https://www.eccouncil.org.